2

I'm new to Python and have been struggling with this for hours now, so I thought perhaps someone within the community would be able to help.

I have a self signed certificate from a 3rd party enterprise who is not a valid CA which is fine.

I've created a .p12 and I'm SUCCESSFULLY able to connect to said 3rd party's HTTP server using C# and .net (great).

Using the same .p12, I'm able to create a keystore, import the key, and successfully connect to the 3rd party's HTTP server using Java HttpsURLConnection (also great).

Unfortunately, it is not trivial at all to do this in Python!

I have followed these instructions to split the .p12 into a key.pem and a cert.pem https://www.ibm.com/support/knowledgecenter/en/SSZRJV_10.1.0/admin_guide/pac_x509_web_services_python_convert.html

I have tried the following Python http libraries to try to make the connection (as imports below):

  • import requests
  • import http.client.HTTPSConnection
  • import httplib2

Code snippet using requests

import requests 
r = requests.get(url, cert=('crt.pem', 'key_nopass.pem'))
print(r.text)

Code snippet using httplib2 (and from IBM example) https://www.ibm.com/support/knowledgecenter/SSZRJV_10.1.0/admin_guide/pac_x509_web_services_test.html

import httplib2
http = httplib2.Http()
http.add_certificate('key_nopass.pem', 'crt.pem', '')
response, content = http.request(url, 'GET')
print(content)

Using any of these libraries, I get the following error:

OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

Would appreciate if anyone can point me in right direction or tell me what I'm doing wrong. Quite frustrating since as I mentioned the same simple HTTP calls work from C# and Java without issue (so I know the p12 and certs are valid)

I've tried + used many different stackoverflow posts to no avail.

Thanks

PS @Steffen Ulrich, its not a duplicate at all. The post you linked to says to use the CA file. I wasn't required to use a CA file for Java or C#. So if you can please explain the process of creating the CA file (that apparently python needs) then that would be great.

Additionally the post you link too mentions nothing of the crt.pem and key.pem, which is hard to believe that its not required.

TF Newby
  • 61
  • 4
  • did you find [how-to-get-python-requests-to-trust-a-self-signed-ssl-certificate](https://stackoverflow.com/questions/30405867/how-to-get-python-requests-to-trust-a-self-signed-ssl-certificate) – Patrick Artner Jun 20 '18 at 15:45
  • yes, unfortunately that link is not helpful enough. see my requests code snippet. I've tried verify as well as an argument with crt.pem but it doesn't work – TF Newby Jun 20 '18 at 15:51
  • pity. Nice post thoug :) hope you get helped – Patrick Artner Jun 20 '18 at 15:52
  • 2
    @SteffenUlrich, its not a duplicate at all. Please see my Edit – TF Newby Jun 20 '18 at 16:30

1 Answers1

0

Try to use 'get-cert'.

yourcode.py:

import requests 
r = requests.get(url)
print(r.text)

Now install the get-cert package and run the code:

pip3 install get-cert
python3 -m get_cert https://your.example.net > cert.pem
REQUESTS_BUNDLE_CA=./cert.pem python3 yourcode.py
MichalMazurek
  • 81
  • 1
  • 1
  • 8