I have installed a firewall Root CA into the Trusted Root Certification Authorities of the Local System of my Windows system. This was done for the purpose of SSL inspection.
When this was done, I was seeing SSL Error messages in my Python applications
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')) WINDOWSThis was strange, because everything else on my system such as web browsers, were operating fine. I then realized that Python uses the Root CA's specified in the file : cacert.pem which is managed by the certifi module. It does not use the Windows certificate store. This made sense because the certificates were setup correctly in the Windows certificate store, and every other application on my system was fine.
To view where this file is stored, you can run the following code:
import certifi
print(certifi.where())
I manually added my Root CA to the cacert.pem file, by copy and pasting my Root CA certificate to the bottom of the cacert.pem file.
After doing this, I have not received any SSL errors whatsoever and my Python applications are correctly using the firewall's certificates.
My questions are:
- Can I make Python just use the trusted Root certificates in my Windows store?
- It is unnecessary and annoying to have to have duplicates of the same certificate. I would like Python to use the central Windows store, just like everything else, to minimize hassle and sources of error
- At the least, is there a certifi command that I can run to have it copy everything from the Windows certificate store into the
cacert.pemfile?
EDIT
From the certifi github page
Certifi does not support any addition/removal or other modification of the CA trust store content. This project is intended to provide a reliable and highly portable root of trust to python deployments. Look to upstream projects for methods to use alternate trust.
