SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed : self signed certificate in certificate chain (_ssl.c:992)

Question

I am using python to make a get request to jira cloud rest api to get details of an issue, but getting this SSL verification failed error message, I am using this script

import requests
import json

url = "https://your-domain.atlassian.net/rest/agile/1.0/issue/{issueIdOrKey}"

headers = {
  "Accept": "application/json",
  "Authorization": "Bearer <access_token>"
}

response = requests.request(
   "GET",
   url,
   headers=headers
)

print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))

error message-

requests.exceptions.SSLError: HTTPSConnectionPool('host=your-domain.atlasian.net', port=443): Max retries exceeded with url: /rest/agile/1.0/issue/{issueIdOrKey} (caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed : self signed certificate in certificate chain (_ssl.c:992)')))

Suggest me possible ways to resolve this issue. Thank you!

Did you try to use the verify option ? `response = requests.request("GET",url,headers=headers, verify=False)` — RaiZy_Style, Jul 04 '23 at 13:35
InsecureRequestWarning: Unverified request is being made to host 'my-domain.atlassian.net:443'. Adding certificate verification is strongly recommended `"error": "Failed to parse Connect session auth token"` — Devendra Yadav, Jul 05 '23 at 05:38
Does this answer your question? [How to get Python requests to trust a self signed SSL certificate?](https://stackoverflow.com/questions/30405867/how-to-get-python-requests-to-trust-a-self-signed-ssl-certificate) — jpeg, Jul 12 '23 at 08:26

Isaac Carrington · Answer 1 · 2023-07-11T10:17:42.423

self signed certificate in certificate chain means that certificate chain validation has failed. Your script does not trust the certificate or one of its issuers. For more information see Beginning with SSL for a Platform Engineer. The answer from Tzane had most of what you need. But it looks like you also might want to know WHAT certificate to add.

So, first get the CA certificate, and any intermediate certs by running the following on a command line:

openssl s_client -connect your-name.atlassian.net:443 -showcerts

In the output there is a block that starts with Certificate chain. The output I got from Atlassian.net had only a server cert and CA cert.

There are blocks of output that start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

These blocks, including the lines I just showed, are a certificate. Copy the last certificate and create a pem file e.g. ca-root.pem. Place this in the same directory as your python file and then update your requests block to be:

verify = "ca-root.pem"

response = requests.request(
   "GET",
   url,
   headers=headers,
   verify=verify
)

Hope this helps.

----- UPDATE -----

Using the domain you provided, msci.atlassian.net, I have the CA cert provided at this time by Digital Cert.

I tried this command `openssl s_client -connect your-name.atlassian.net:443 -showcerts` and I got this `no peer certificate available` and `no client certificate CA names sent` — Devendra Yadav, Jul 10 '23 at 06:14
Yes Devendra, but since none of us have the faintest idea of what the name of your company is... **JUST TELL US WHAT THE DOMAIN NAME IS FOR YOUR COMPANY'S JIRA CLOUD INSTANCE!!** — David Bakkers, Jul 10 '23 at 13:36
Thank you. Using `openssl s_client -connect msci.atlassian.net:443 -showcerts` from my home computer I got the certificates you need to trust. But I think the remarks from Chen A regarding the corporate proxy is the first thing you need to sort out. — Isaac Carrington, Jul 11 '23 at 10:14
Can you please provide details of the system running this script? Is it on a workstation or server? What is the operating system and version. Are you running this script from the command line? If not, how is it being run? — Isaac Carrington, Jul 11 '23 at 10:20

score 0 · Answer 2 · answered Jun 29 '23 at 07:44

We had a similar cert issue with another web API that came up randomly on some machines. What we ended up doing is getting the ISRG Root X1 from Let's Encrypt and passing it manually to the request

verify = "isrgrootx1.pem"

response = requests.request(
   "GET",
   url,
   headers=headers,
   verify=verify
)

Chen A. · Answer 3 · 2023-07-07T10:20:56.523

0

Getting certificate issues like that (self signed certificate in chain) from such a public website smells like you're behind a corporate proxy. Is that the case?

You can simply check that if you connect to the internet from your home, or hotspot, without being behind proxy. If it works - then that's your problem.

You can also debug it further running curl -v <URL>. It will display some additional cert information.

To solve it, you need to trust your company CA certificate so certificates signed by this root CA are trusted. Here's a to do it on Ubuntu

Importing a company certificate is something usually the IT department helps with. The process is different between OS's, but in general (and I'll give a Linux example below) this is how it goes:

You need to get the root CA certificate. This is a certificate the company signs certificate with. Your IT will probably have it, or the knowledge where you can get it from. This is a file with .crt suffix
You put this file in designated location, depending on your OS. For Ubuntu this would be /usr/local/share/ca-certificates
Run sudo update-ca-certificates to update OS certificates

If you're running inside Docker, the process is the same and again, it might be different depending on the OS type.

edited Jul 07 '23 at 10:20

answered Jul 03 '23 at 06:28

Chen A.

10,140
3
42
61

Yes I am behind a proxy. I tried the `curl -v ` and getting this `Connected to my-domain.atlassian.net (104.192.142.18) port 443 ALPN, offering h2 successfully set certificate verify locations: CAfile: /path/to/ca/certificate * TLSv1.3 (OUT), TLS handshake, Client hello (1): OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my-domain.atlassian.net:443 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my-domain.atlassian.net:443` – Devendra Yadav Jul 03 '23 at 08:08
Does it work if you ignore certificates? (try curl -k) – Chen A. Jul 03 '23 at 10:51
No this time it is showing `curl: (35) openSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my-domain.atlassian.net:443` – Devendra Yadav Jul 05 '23 at 05:34
This also may indicate some sort of certificate problem. You need to import your company certificate on that host / docker container. – Chen A. Jul 05 '23 at 05:47
Can you tell me the whole process how to do it? – Devendra Yadav Jul 07 '23 at 06:01
@DevendraYadav I've updated the answer with an explanation – Chen A. Jul 07 '23 at 10:21

score 0 · Answer 4 · answered Jul 06 '23 at 09:14

0

Are you using YOUR domain name in the request?

From the errors, it looks like you're trying to use the fictitious domains my-domain.atlassian.net and your-domain.atlassian.net in your request.

answered Jul 06 '23 at 09:14

David Bakkers

453
3
13

Yes I am using my domain name in the request – Devendra Yadav Jul 06 '23 at 10:42
And what is that domain name of your Jira Cloud instance? – David Bakkers Jul 07 '23 at 21:14
Also, please try to lookup my domain's info and report the result : `GET https://solidinterface.atlassian.net/rest/api/3/serverInfo` – David Bakkers Jul 07 '23 at 21:35
Are you able to make connections and get responses from the non-Agile endpoints of your Jira Cloud instance, such as lookup yourself via `https://.atlassian.net/rest/api/3/myself` ? – David Bakkers Jul 07 '23 at 21:44
No I am not able to make connection with non-Agile endpoints as well – Devendra Yadav Jul 10 '23 at 08:10
You didn't answer my other question WHAT IS THE DOMAIN NAME OF YOUR JIRA CLOUD INSTANCE? – David Bakkers Jul 10 '23 at 13:22
You also didn't answer my other question WHAT WAS THE RESULT OF TRYING TO LOOKUP THE INFO OF **MY** JIRA CLOUD INSTANCE? – David Bakkers Jul 10 '23 at 13:23

score 0 · Answer 5 · answered Jul 07 '23 at 17:19

0

Try doing ping <your-domain>.atlassian.net and ensuring it can get through
If you're on VPN try turning it off because VPN can do self-signed certs that cause all kinds of issues
Otherwise check out your env variables which are used by python...attaching a short script we've used when dealing with these issues

if [ -w /etc/ssl/certs ]
then
    CERT_PATH=/etc/ssl/certs/certs.pem
else
    CERT_PATH=~/.certs.pem
fi
security export -t certs -f pemseq -k login.keychain-db -o $CERT_PATH
echo "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.bash_profile
echo "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.zshrc

answered Jul 07 '23 at 17:19

smoot

21
5

I am using linux os can you please tell me the corresponding command for linux. – Devendra Yadav Jul 10 '23 at 08:28
Are you asking what the corresponding command for `ping` is in Linux? – David Bakkers Jul 10 '23 at 13:45
No I am asking for `security export` command – Devendra Yadav Jul 11 '23 at 07:08

SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed : self signed certificate in certificate chain (_ssl.c:992)

5 Answers5