0

I am trying to get cookie (and rest of the page) from web site with cookie verification using

requests library, but it fails on SSL certificate verification:

HTTPSConnectionPool(host='***host***', port=443): Max retries exceeded with url: ***url*** (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))

I know (from here) that I can bypass it using verify=False, but that is IMHO very unsecure way. I also know that there is a way get and parse certificates (from here), but this way is very much overkill for me. I should also note, that I have certifi installe by pip install certifi, but it is not doing a thing from my POV.

Do you know how to fix this? Thx for answers!

My Code:

    import requests

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36'
}
r = requests.get('https://secure.ulrichsw.cz/estrava/, headers=headers, verify=True)
session_id = r.cookies['PHPSESSID']
print(session_id)
dejf
  • 11
  • 1
  • 6
  • There are many similar questions here which also have answers. They usually have answers since they provide more details about the server and make it possible for others to reproduce the problem. It is unknown what the problem is in your specific case but likely missing root CA, intermediate certificates not send by the server or a self-signed certificate used by the server. More details can not be given due to a lack of details in your question (like name of server). – Steffen Ullrich Mar 10 '20 at 21:31

1 Answers1

0

Let me preface this by saying you don't want to do this unless you are/know the issuer of the certificate on that remote server, and you are confident that it's a valid system. Don't simply assume that it's just a legitimate service with a bad cert (that you want to use.)

You would need the CA bundle that corresponded to that certificate, the follow these directions:

https://requests.readthedocs.io/en/stable/user/advanced/#ssl-cert-verification

Hint: Use the .pem file from your self-signed certificate. Or provide a pem file with the server's cert along with any intermediate certificates.

You can also point verify= to a directory, and stick all the certs inside it.

chander
  • 1,997
  • 2
  • 16
  • 15
  • I am sure it is valid service, but I also think this is client side problem. Should I then assume, that the verify=False option is best solution? – dejf Mar 10 '20 at 21:58
  • @dejf: `verify=False` is almost never a good option. Even if you are sure that you connect to the correct server now you will not realize with this option if the certificate has changed because some man in the middle is attacking you. Solve the underlying problem (see my comment) instead of essentially disabling all security. – Steffen Ullrich Mar 11 '20 at 10:43
  • Get the certs for the service you are connecting to/using and then set verify= to the file that contains them. This isn't an uncommon issue - organizations often will have their own internal signing authority and often have included them as trusted in default images. So app developers need to do the same to trust those certs. – chander Mar 14 '20 at 02:18