1

I've generated a self-signed certificate in Windows Server 2012 R2 [WSUS Server - 10.66.194.98] [Dec15.cer] and enabled SSL in all 'WSUS Administration' website. Now I want to use this in python code to contact with the server.

Dec15.cer

And I'm running into below error

ERROR: Host not reachable [HTTPSConnectionPool(host='10.66.194.98', port=8531): Max retries exceeded with url: /ApiRemoting30/WebService.asmx (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)'),))]

This is what I tried.

wsusutil.exe configuressl 10.66.194.98

Then I copied the Dec15.cer to python root directory. and ran the below code

from requests import Session
from requests_ntlm import HttpNtlmAuth

user = 'administrator'
password = '******'
session = Session()
session.cert = session.verify = 'Dec15.cer'
# session.verify = False
session.auth = HttpNtlmAuth(user, password)
print(session.get("https://10.66.194.98:8531/ApiRemoting30",
              verify=session.verify,
              cert=session.cert))
Nishabu
  • 134
  • 1
  • 15
  • 2
    The `cert` parameter is for a client certificate (which also needs a matching private key) and not for a CA certificate. Also, the value given in `verify` must be CA certificate (or multiple CA certificates) and it is unclear what your `Dec15.cer` actually contains. A simple leaf certificate will not work,. – Steffen Ullrich Dec 27 '18 at 08:33
  • 1
    Be careful there are difference between `verify` and `cert`. http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification – KC. Dec 28 '18 at 06:29
  • @SteffenUllrich Dec15.cer is actually a self-signed certificate I've generated from IIS and bind with WSUS Administration web site. I simple saved the certificate to a cer file and copied to python build. seems python is not honoring the certificate. – Nishabu Jan 01 '19 at 09:42
  • @kcorlidy thanks. Would like to know how IIS generated self-signed certificate can be used in python. – Nishabu Jan 01 '19 at 09:43
  • @AlenNishabu: it is still unclear what `Dec15.cer` actually contains. I would suggest to actually provide the file (a cert contains only public data, not the private key) so that one can have a closer look. – Steffen Ullrich Jan 01 '19 at 11:10
  • thanks @SteffenUllrich, I've added the link for Dec15.cer file https://drive.google.com/open?id=1ynjO8Kbai29U7cTiW42cvmE96pUz-9J2 – Nishabu Jan 01 '19 at 12:20

1 Answers1

2

While the certificate in question Dec15.cer is a self-signed certificate it does not have basic constraints CA:true:

$ openssl x509 -text -in Dec15.cer 
...
    X509v3 extensions:
        X509v3 Key Usage: 
            Key Encipherment, Data Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication

But, as I already said in a comment, the certificates given to the verify parameter in requests must be CA certificates, i.e. have basic constraints CA:true.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • so bascially there is no way to make Python 3 trust a self-signed certificate? – Jing He May 16 '21 at 12:43
  • 1
    @JingHe: Looks like that with Python 3.10 they finally exposed the X509_V_FLAG_PARTIAL_CHAIN flag - see https://bugs.python.org/issue40849. With this flag it should be possible to set [SSLContext.verify_flags](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.verify_flags) so that it can handle certificates with CA:false in the trust store. – Steffen Ullrich May 16 '21 at 15:32
  • Thanks a lot! @SteffenUllrich – Jing He May 17 '21 at 06:42