2

The following curl cmd works as is, without any issues,
curl -H "Authorization: Bearer $AUTH" --cacert "/var/lib/myapp/server-ca.crt" https://myapp.common:2567/service -X GET

Implementing this in python,

headers = {"Authorization": "Bearer {}".format(os.getenv("AUTH"))}
cacert = "/var/lib/myapp/server-ca.crt"
url = "https://myapp.common:2567/service"
response = requests.get(url=url, headers=headers, verify=cacert)

However it fails with the following error

HTTPSConnectionPool(host='myapp.common', port=2567): Max retries exceeded with url: /service
 (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

For context the cacert here has the following info:
---BEGIN CERTIFCATE---- SOMERANDOMSTRING ---END CERTIFICATE----

C--
  • 210
  • 2
  • 12
  • In short: wrong option. You need to use `verify` not `cert`. – Steffen Ullrich Nov 30 '21 at 18:36
  • @SteffenUllrich Thanks for pointing it out. However after changing cert to verify, I still have the same issue – C-- Nov 30 '21 at 18:46
  • *"However after changing cert to verify"* - The original cause is solved. With changed code this is a different question. Please provide exactly the (new) code you are using and exactly the (new) error message you got in a new question. – Steffen Ullrich Nov 30 '21 at 18:51
  • @SteffenUllrich As pointed out in the previous comment, I get the exact same error. The new code was to use `requests.get(url=url, headers=headers, verify=cacert)`. I don't think new question is required given I'm facing the same error – C-- Nov 30 '21 at 19:17
  • I've reopened the question but I doubt that it can be solved with the information. `verify=cacert` is exactly the way it should work. If your file is malformed or does not contain the CA certificate then it should not work with curl either. So please check again, that the shown curl command and Python code and error messages really match **exactly** what you are doing. – Steffen Ullrich Dec 01 '21 at 07:16
  • @SteffenUllrich I'm 100% sure, and I just triple checked. I get the same exact issue with python requests but curl works without any issues. I'm thinking it has something to do with the certificate – C-- Dec 01 '21 at 10:20
  • Curl probably has more up to date CA lists, for example using the OS trust store, whereas `requests` uses `certifi` keys store - try updating requests or certifi using pip. – DisappointedByUnaccountableMod Dec 01 '21 at 21:39
  • See related [Python requests SSL error - certificate verify failed](https://stackoverflow.com/questions/46604114/python-requests-ssl-error-certificate-verify-failed) – hc_dev Dec 12 '21 at 17:32

1 Answers1

0

Turns out the issue was with the certificate. I was having self signed certificates which were not present in the OS trust store.

Python requests need the path to full chain cert not just intermediate cert for verify parameter. See requests documentation: SSL Cert Verification

After updating it, it worked without any issues.

hc_dev
  • 8,389
  • 1
  • 26
  • 38
C--
  • 210
  • 2
  • 12