python Requests SSL ERROR (certificate verify failed)
It is highly recommended to have a deeper look at the excellent documentation for requests. It has a special chapter about SSL Cert Validation which explains:
You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:
>>> requests.get('https://github.com', verify='/path/to/certfile')
Assuming that your server certificate was signed by your ca.crt
you should use this for the verify
parameter.
EDIT: based on the discussion it looks like that CA and server certificate used the same subject. This means that the certificate validation assumes that this is a self-signed certificate which thus results in an certificate validation error.
Related videos on Youtube
nebi
Updated on June 04, 2022Comments
-
nebi 7 months
I have generated following self-signed certificates for my server and client.
I have created ca.crt & ca.key. Using ca.crt & ca.key, I have created server.crt, server.key for server and client.crt, client.key for client respectively.
I am using python requests library as client. Below is the code snippet:
import json import requests cert = ("/home/tests/certs/client.crt", "/home/tests/certs/client.key") class TestCart(): def test_cart(self, **kwargs): url = "https://192.168.X.Y/cart" cart_data = { 'id': kwargs.get('id'), 'items': kwargs.get('items') } req_data = json.dumps(cart_data) resp = requests.post(url, data=req_data, verify="/home/certs/ca.cert", cert=cert) print resp.text if __name__ == '__main__': t_cart = TestCart() data = {'id': 'ba396e79-0f0f-4952-a931-5a528c9ff72c', 'items': []} t_cart.test_cart(**data)
This gives exception:
requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.X.Y', port=443): Max retries exceeded with url: /cart (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))
If I use verify=False, code works, but I want to verify. What should be the value of verify in my request ?
-
nebi about 5 yearsIt still gives exception: (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))
-
Steffen Ullrich about 5 years@nebi: It is unknown what your code exactly is and what the contents of the certificates is. But, somewhere in this unknown part lies the problem. It might be thus helpful if you publish everything needed to reproduce your problem as a Minimal, Complete, and Verifiable example.
-
Steffen Ullrich about 5 years@nebi: the code looks good so far but it is still unclear how the
ca.crt
you use relates to the certificate send by the server. If this does not contain the CA which issued the server certificate or if there are intermediate CA's in between the CA and the server certificate which are neither provided by the server nor are contained inca.crt
then the validation will still fail. Also, the subject of the certificate should match the hostname of the URL. -
nebi about 5 yearsI have generated the certs like this, "openssl req -new -key ca.key -x509 -days 365 -out ca.crt" & "openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt" .Should I provide all the commands ?
-
Steffen Ullrich about 5 years@nebi: it might be better if you provide actual sample certs generated by these commands so that one can reproduce the problem with these. Because, the same commands might still result in different certs depending on the configuration and OpenSSL version.
-
nebi about 5 yearsLet us continue this discussion in chat.
-
None over 4 years@Steffen Ullrich I have a related problem here but not using
requests
. Can you please help?