Python Requests SSL error: hostname doesn't mactch either of

Question

I'm trying to connect to one of my internal services at: https://myservice.my-alternative-domain.com through Python Requests. I'm using Python 3.6

I'm using a custom CA bundle to verify the request, and I'm getting the next error:

SSLError: hostname 'myservice.my-domain.com' doesn't match either of 'my-domain.com', 'my-alternative-domain.com'

The SSL certificate that the internal service uses has as CN: my-domain.com, and as SAN (Subject Alternative Names): 'my-domain.com', 'my-alternative-domain.com'

So, I'm trying to access the service through one of the alternative names (this has to be like this and it's not under my control)

I think the error is correct, and that the certificate should have also as SAN:

'*.my-alternative-domain.com'

in order for the request to work.

The only thing that puzzles me is that I can access the service through the browser.

Can somebody confirm the behavior of Python Requests is correct?

This is how I call the service:

response = requests.get('https://myservice.my-alternative-domain.com', params=params, headers=headers, verify=ca_bundle)

Thanks

Have you tried setting SSL verify to false? See https://stackoverflow.com/questions/15445981/how-do-i-disable-the-security-certificate-check-in-python-requests for more details — scorpGoku, Sep 17 '19 at 10:44
If I set SSL verfiy to false, it works. But I want the verification to work with my custom CA bundle. It's a requirement for me. — rugobal, Sep 17 '19 at 10:50
I think you need to provide both more details about your certificate (CN, SAN) and your code. — Steffen Ullrich, Sep 17 '19 at 10:54
The CN is: 'my-domain.com'. the SAN are: 'my-alternative-domain.com' and 'my-domain.com. I'll update the question with this and the code — rugobal, Sep 17 '19 at 11:07
The way you describe it the behavior of requests is correct. Are you sure that the browser gets exactly the same certificate and visits exactly the same site? — Steffen Ullrich, Sep 17 '19 at 11:23
Yes @Steffen, it seems so. And that's what really intrigues me. The service is deployed using Kubernetes, if that information is any relevant — rugobal, Sep 17 '19 at 11:30

score -3 · Accepted Answer · answered Sep 17 '19 at 10:52

-3

pass verify as false might work

x=requests.get(-----,verify=false)

answered Sep 17 '19 at 10:52

venkatadileep

183
7

1

I want to verify the request with my CA Bundle, that's the whole point – rugobal Sep 17 '19 at 10:53
1

NEVER disable certificate verification. You nullify almost all usefulness of TLS then, and you might as well revert back to plain text. – Patrick Mevzek Sep 17 '19 at 15:36

Python Requests SSL error: hostname doesn't mactch either of

1 Answers1