Getting SSLCertVerificationError, but CURL is working

Question

I'm trying to replicate a CURL command using aiohttp in Python.

curl -k -X POST https://XXXXXXXXXXXXXXX.com  \
    --cert file.cer:pass \
    --key file.key \
    -u "XXXXXXXXXXX:XXXXXXXXXXX" \
    -d "username=XXXXXXXXXXX" \
    -d "password=XXXXXXXXXXX" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -H "Authorization: Basic XXXXXXXXXXX"

That works fine.

Reading the docs here, https://docs.aiohttp.org/en/stable/client_advanced.html#ssl-control-for-tcp-sockets, I create a SSL Context like so, using Python's ssl module:

import ssl

ssl_context = ssl.create_default_context()

ssl_context.load_cert_chain(
    certfile=CERT_PATH,
    keyfile=KEY_PATH,
    password=KEY_PASS
)

Then, with aiohttp when executing a request:

async with session.post(url,json=body,ssl=ssl_context) as r:
    ...

And I get this:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)

Any ideas why?

this seems like a duplicate of https://stackoverflow.com/questions/30405867/how-to-get-python-requests-to-trust-a-self-signed-ssl-certificate — Joran Beasley, Oct 05 '22 at 17:14
this article also may be useful https://rob-blackbourn.medium.com/secure-communication-with-python-ssl-certificate-and-asyncio-939ae53ccd35 — Joran Beasley, Oct 05 '22 at 17:16
I just skimmed over [some Python docs](https://docs.python.org/3/library/ssl.html#context-creation). Does anything change if you change `ssl_context = ssl.create_default_context()` to `ssl_context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH)`? — Michael M., Oct 05 '22 at 22:28
@MichaelM. `Purpose.SERVER_AUTH` is the default attribute, so that wasn't the issue. — Dante Mogni, Oct 06 '22 at 02:59

score 0 · Answer 1 · answered Oct 06 '22 at 03:05

Update:

Solved this by following the answer here: How can I create a Python SSL Client/Server pair where only the server authenticates the client

Basically replaced ssl.create_default_context() with ssl.SSLContext()

Only thing is that now I get a warning:

DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
DeprecationWarning: ssl.PROTOCOL_TLS is deprecated

But that is a problem for another day. I'm open to hear more suggestions, tho.

Getting SSLCertVerificationError, but CURL is working

1 Answers1

Update: