1

I am currently trying to make a simple get request with python to an asp net core (.NET 5) API. The API is running on kestrel with default settings (HTTPS only, HTTP 1 and 2 allowed).

Problem

The problem is, that my call of

r = requests.get("https://localhost:5001/api/authentication", params=payload, verify='../browser_exported.cer')

Produces the well-known error of

(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

When I disabled verification via verify=False everything works as expected but this is not a viable solution in my case.

What I tried so far

  • Using verify=False which works but is not a solution
  • Exporting the certificates via my browser when browsing the site as a base64 encoded .cer file (like explained here and here) and also exporting the certificate via the certmgr (explained here) although both invoke the same wizard.
    • Supplying this certificate to python via verify='<path>' (as seen above).
    • Copying the certificate into cacert.pem from certifi (Used the same environment to execute certifi.where() that is used to execute the request)
  • Installing python-certifi-win32 but after looking at its source code I noticed this will only import CA and ROOT from the win cert store. (the asp net core dev certificate is a self-signed certificate not present in these stores)
  • Exporting the certificate with der encoding. This produced the expected error: SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4263)')))
  • Verified that python does find my certificate file when specifying it as verify parameter. To do this I gave it a path that points to a nonexisting file and it produced the expected error: Could not find a suitable TLS CA certificate bundle, invalid path: ../nothinghere.cer

Additional information

  • I am running Windows 10 2004 19041.804 x64
  • Chrome 88.0.4324.182 (to export the certificate)
  • Python 3.8.5
  • Certifi 2020.12.5
  • Requests 2.25.1
  • I am not behind any (corporate) proxy nor have I installed any vpn
  • The asp net core dev certificate is not chained

certificate chain

Robin B
  • 1,066
  • 1
  • 14
  • 32
  • Is the full certificate chain in the `.cer` (or `.pem`) file? You can concatenate certificates one after another. – AKX Feb 18 '21 at 13:33
  • The asp net core dev certificate is self-signed so there should be no chain. But is there any way to verify this? This is bugging me too but I went ahead and trusted the linked SO answer (https://stackoverflow.com/questions/51925384/unable-to-get-local-issuer-certificate-when-using-requests-in-python?noredirect=1&lq=1) which implies that exporting the cert via the browser will export the chain. – Robin B Feb 18 '21 at 13:36
  • My guess that the certificate has no basic constrains CA:true. See duplicate for why this is needed. If this is not the cause of the problem let me know and I will reopen the question. – Steffen Ullrich Feb 18 '21 at 16:44

0 Answers0