Why Python isn't loading the ca certificate?

Question

I've added a bundle certificate to python default file

>>> import ssl; print(ssl.get_default_verify_paths())
DefaultVerifyPaths(cafile='/usr/lib/ssl/cert.pem', capath='/usr/lib/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')

and the certificate seems to work nicely

>>> import requests; requests.get('https://westeurope.experiments.azureml.net', verify='/usr/lib/ssl/cert.pem')
<Response [530]>

However, when I try to perform the same request without explicitly specifying the certificate file, it fails.

>>> requests.get('https://westeurope.experiments.azureml.net')
# ...
requests.exceptions.SSLError: HTTPSConnectionPool(host='westeurope.experiments.azureml.net', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1051)')))

In my understanding this shouldn't happen, right? Why isn't Python not loading the certificate I provided in the default path?

I'm using Python 3.7.1

Thanks

Answer 1

requests does not use the defaults from ssl; it uses envvar REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE if set and otherwise uses the (spunoff) certifi module which depending on how you installed requests&certifi which you didn't say and your environment which you didn't identify might use a system default (which might or might not be the same as the OpenSSL used in ssl) or might be its own copy of Mozilla. In the latter case it should include Digicert Global Root CA as needed for that site, because Firefox (also Mozilla) does.

Look at requests.certs.where() or python -m requests.certs

Mostly dupe
Python Requests - How to use system ca-certificates (debian/ubuntu)?
How to force requests use the certificates on my ubuntu system
Why python requests not use the system ssl cert by default?