0

I have already tried the following and seems it is not related:

  • Upgrading certifi using: pip3 install --upgrade certifi

  • Disabling pythons http check using: export PYTHONHTTPSVERIFY=0 and then running the script

  • Updating and exporting the correct env. variable:

    sudo update-ca-certificates --fresh

    export SSL_CERT_DIR=/etc/ssl/certs

I'm using Python3.6.9 This is the output of the ssl paths:

> python3 -c 'import ssl; print(ssl.get_default_verify_paths())'
> DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')

The script I'm trying to run is a simple post request using requests:

r = requests.post(url, data=data, headers=headers)

Using data and headers that worked perfectly well until the change of certificates. The script is trying to connect to an API hosted on the same server

Here is the full error output:

Traceback (most recent call last):
  File "/home/montredo/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 677, in urlopen
    chunked=chunked,
  File "/home/montredo/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 381, in _make_request
    self._validate_conn(conn)
  File "/home/montredo/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 978, in _validate_conn
    conn.connect()
  File "/home/montredo/.local/lib/python3.6/site-packages/urllib3/connection.py", line 371, in connect
    ssl_context=context,
  File "/home/montredo/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 384, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

Has anyone had this issue still happen after trying all above solutions?

johan855
  • 1,578
  • 4
  • 26
  • 51
  • *"... worked perfectly well until the change of certificates."* - so likely the problem is caused by improperly changing the certificates. Check the target site with [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and look especially for chain issues. – Steffen Ullrich Oct 06 '20 at 17:39
  • 1
    (1) `sudo update-ca-certificates` doesn't accomplish anything unless you have updated the system (not pip) package(s) or manually changed `/usr/local/share/ca-certificates` which you don't mention (2) _python_ defaults to the system store (/usr/lib/ssl/certs = /etc/ssl/certs) but _requests_ with certifi does NOT; see dupe https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu/42982144 – dave_thompson_085 Oct 06 '20 at 18:21
  • I in the end used SSLLabs as Steffen sugested, it was a missing intermediate certificate. – johan855 Oct 08 '20 at 16:45

0 Answers0