0

Hello StackOverflow Community,

I know the [SSL: CERTIFICATE_VERIFY_FAILED] error is a wildly discussed issue. However, after testing different methods such as here, here, and here, I am still not able to solve this dreadful issue.

Background:

While on the company network, I try connecting to a REST API endpoint https://demo.vizionapi.com/carriers. However, the [SSL: CERTIFICATE_VERIFY_FAILED] error randomly appears.

Solution Tested:

I followed this article, passed https://demo.vizionapi.com/carriers to chrome to get all certificates( the root one, intermediate one, and website one), then installed certifi package and appended three certificates to the end of cacert.pem file such as following.

... other certificates...

-----BEGIN CERTIFICATE-----
xxxx (root)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
xxxx (intermediate)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
xxxx (website)
-----END CERTIFICATE-----

Then I passed the following code to build a connection with API.

import httpx
import certifi
head = {
    'X-API-Key': 'akkakakka'
}

url_end = 'https://prod.vizionapi.com/carriers' 

response = httpx.get(url=url_end,
                     verify=certifi.where(),
                     headers=head,
                     follow_redirects=True)

I pass follow_redirects as True because if this parameter is set to False, I will randomly get the 307 Proxy Redirect status code. However, when the redirect happened, I got the same [SSL: CERTIFICATE_VERIFY_FAILED] error; but when the redirect did not happen, the code worked flawlessly.

Further Investigation:

I dug a bit further and discovered that redirect happens due to our company's proxy hijacking the connection and further changing the URL.

URL when redirect not happen: https://demo.vizionapi.com/carriers

URL when the redirect happens (Pseudo): https://proxy02.xan.klklk/BNKS09NKSISKIO0987/11.11.11.111/https://demo.vizionapi.com/carriers

I tried to pass the redirected URL to Chrome and get the new certificates, but I still got the same error.

Questions:

I guess my question is how I can deal with the [SSL: CERTIFICATE_VERIFY_FAILED] error when such error is caused by the company proxy changing the URL and forcing the proxy URL added in front of the REST API URL?

Thank you for your suggestion, and any comment is welcomed.

Vae Jiang
  • 337
  • 3
  • 8
  • It could be a couple of things. Do your CA certs include the proxy server's cert? Are you using a client certificate for authentication? And is your browser set to use a proxy autoconfig file for redirection? – James Aug 08 '22 at 14:20
  • Hi @James, Pardon my poor understanding of SSL related topic. I think the proxy server's cert has been included (the one after the root cert). However, I am not so sure I understand your last two questions. Can you elaborate more? Thank you so much! – Vae Jiang Aug 08 '22 at 15:06
  • Your organization can issue you/your browser a client certificate. This can be used as a means of authenticating any requests sent to the server. Basically, when establishing the SSL connection you say "hey, I have this cert issued to me by our friend, and it proves that it is me making the request." However, the error you are getting is probably the CA certs. For a client cert issue, you would likely see `SSLError: bad handshake:...`. – James Aug 09 '22 at 09:43
  • The proxy autoconfig file is simply a JavaScript (with limited functionality) file that your browser uses to redirect traffic based on the url / host of the request. It can send your request to directly to the requested server, or supply a proxy connection. If you look at your browser / system settings, it might have a proxy script location. – James Aug 09 '22 at 09:52
  • @James, I talked with our IT team, and they gave me a CA bundle. Once append CA bundle given by IT, the `SSL Error` issue no longer shows up. Thank you so much for your suggestion! If you can post your comment as an answer, I will accept it. – Vae Jiang Aug 09 '22 at 13:54

1 Answers1

1

You don't have all of the CA certs needed to verify whichever server you are sending requests to. Ask to get the complete CA bundle to use for verification.

James
  • 32,991
  • 4
  • 47
  • 70