1

I've tried to execute a GET with python requests on a Website (that perfectly works when visited with Firefox or Google Chrome) but it fails with the following exception:

requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

the interesting thing is that if I execute the GET on an other Subdomain (of the same website) it is:

  • api.example.com Exception
  • app.example.com It Works

and BOTH are certified with the SAME ROOT CA and both works on Firefox or Google Chrome.

In particular the code is the following (a very simple request)

import requests
import json

s = requests.Session()

# execute the get
r = s.get("https://api.example.com/"

and Throws the Exception:

requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

Insted if I execute:

r = s.get("https://app.example.com/"

it works without any problem!

And I remark that boot are Signed and Cerfiticated by the same Root CA. And Both works correctly if visited with Firefox or Google Chrome.

I don't know what to do... Thanks for any hint...

p.s. All the CAs are updated to the latest version.

And the versions of the packages are:

  • urllib3-1.26.6
  • certifi-2021.5.30
Samuele
  • 11
  • 1
  • 5
  • True... Sorry, I've updated it! – Samuele Aug 08 '21 at 14:01
  • _example.com_ is just a placeholder ? – Maurice Meyer Aug 08 '21 at 14:02
  • Exactly, to not post the real website – Samuele Aug 08 '21 at 14:06
  • 2
    Check the site against [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html) and look especially for "chain issues" - which point to a server side misconfiguration. Browser can usually work around this misconfiguration so it seems to work. Most non-browser tools though cannot work around this and fail. – Steffen Ullrich Aug 08 '21 at 14:30
  • @steffen-ullrich I've tried it and it says: "Chain issues: Incomplete", is there a way to work arount it in python requests? – Samuele Aug 08 '21 at 14:36
  • @Samuele: Then this is a duplicate question. The answers to the linked questions also shows ways to work around this problem in Python requests. – Steffen Ullrich Aug 08 '21 at 15:03

0 Answers0