SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

Question

I'm trying to make a Python (3.9.2) client using requests to communicate with a node.js (12.13.0) server using socket.io over SSL.

It only works for me if I put verify = False on Python client side. Without verify = False I'm getting different errors, depends on the setup. What looks to me most valid throws the error from the header.

That setup is (simplified) -

Server Node.JS:

const express = require('express')
const fs = require('fs')
const socketIo = require("socket.io")
const app = express()

var cert = "path\to\cert.pfx"
if (fs.existsSync(cert)) {
    httpsServer = require('https').createServer({
        pfx: fs.readFileSync(cert),
        passphrase: 'reall_pass_here',
        requestCert: true,
        rejectUnauthorized: false //shoud be true on production
    }, app)
}


httpsServer.listen(port, function () {
    console.log('[Info]', 'httpsServer is running on port', port);
        });
        
app.post('/', async (req, res) => {
    console.log(req.headers)
    console.log(req.body)
    //do nice things here
    res.sendStatus(200)
})

Client Python:

import requests

response = requests.post("https://myserver.com:12457/"
    # , verify = False
    , headers={"Content-Type": "application/json"}
    , data=json.dumps({"base64Image": encoded_string, "imageName": imageName}))
print("SendPhoto", response.status_code)

When using an online API tester service (like https://reqbin.com/) it works as expected, so I assume the issue is on the client side.

Looking here: https://stackoverflow.com/a/66111417/627100 and on similar posts, I can understand the problem is common, but the solution provided is not clear to me. As I have access to both server and client, I took the PEM certificate from the original GoDaddy files and paste it on the certifi PEM file on my client's venv. It didn't solve the problem. I'm certainly not sure if such act is even valid or secured. I also thought to export the certificate from the browser's padlock but it doesn't offer the PEM format. I understand that the server must serve the complete chain of certificates, including the intermediate ones. Maybe it doesn't (so how the online API tester works?) - how can I make it? or Make the client disregard the demand? or 'bring it' manually? (not valid for production...) I guess I need here a detailed explanation...

The problem lies either in the certificates served (like intermediate missing) or the certificates you trust. None of this is actually known, i.e. there are only some statements which kind of describe what you _think_ is the case, but don't show _facts_ what really is the case. Without these information one cannot offer detailed help though. *"I took the PEM certificate from the original GoDaddy files and paste it on the certifi PEM file ..."* - trying to add the server certificate as a trusted CA will not help because the server certificate is not a CA. — Steffen Ullrich, Aug 03 '21 at 11:07
Thanks @SteffenUllrich, I will "undo" the PEM as now it is clear to me it is not a trusted CA — Qua285, Aug 04 '21 at 08:38

score 2 · Answer 1 · answered Aug 03 '21 at 10:52

2

Usually 'unable to get local issuer certificate' error clearly indicates, that the Issuer's (GoDaddy's in your case) root certificate is not installed on your system's Trusted Root Certification Authorities store if your client runs on Windows machine. Or it is missing from '/etc/ssl/certs/ca-certificates.crt' in case of Linux machine.

You can download GoDaddy's root certificate from here.

answered Aug 03 '21 at 10:52

Rustam Hovhannisyan

51
3

thanks Rustam. So a trusted root CA is one per authority and the server supposed to serve it to the client? Are you suggesting that I need to verify (and install) it on the windows server? BTW, when I'm testing the certificate through this tester: https://www.digicert.com/help/, it gives all green, including "Subject Go Daddy Root Certificate Authority - G2 Valid from 01/Jan/2014 to 30/May/2031 Issuer". – Qua285 Aug 04 '21 at 08:40
Yes, when you connect to your server over SSL and it sends his certificate back, your client check the certificate authority that is specified inside. So you need to make sure that GoDaadies root certificate is installed in your CA root store on client side. – Rustam Hovhannisyan Aug 05 '21 at 06:59

SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

1 Answers1