Python requests SSL error - certificate verify failed

python ssl https python-requests ssl-certificate

103,589

Solution 1

As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:

This server's certificate chain is incomplete. Grade capped to B.

This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:

requests.get("https://...", verify='my_trust_store.pem')

... but I've tried downloading the site's certificate and pointing to that file using the verify option

This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.

Solution 2

cat institution-certificate.pem >> venv/lib/python3.9/site-packages/certifi/cacert.pem

This should solve the problem if your network requires a CA

103,589

Author by

Oliver

Updated on March 10, 2022

Comments

Oliver about 2 years
This code
```
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
```
is giving me this error
```
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
```
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?
- Alasdair over 6 years
  
  Which version of Python and operating system are you using?
- Oliver over 6 years
  
  Yes sorry, Python 3.6.3 and Windows 7
- Klaus D. over 6 years
  
  The site has a bad SSL Implementation: ssllabs.com/ssltest/analyze.html?d=hcaidcs.phe.org.uk
Klaus D. over 6 years

If you want to get additional information from the asker, please use the comments. Answers which are just a shot into the blue might get downvoted.
Steffen Ullrich over 6 years

This simply disables any kind of certificate validation. This should only be used for testing but never in production since it opens the application to man in the middle attacks.
Elliott Beach almost 5 years

Good enough for home scripting IMO. Good answer
user85461 about 4 years

From the SSLLabs report, you can download the complete certificate chain with intermediates and root. Click "Click here to expand" under "Certification Paths", and then click the faint download icon next to the path whose chain you'd like to download. Save this as a .pem file, and its path can be used as the argument to verify=.
mightyandweakcoder about 2 years

good answer for self experimentation but i would suggest adding a warning/disclaimer in your answer
Reeshabh Ranjan almost 2 years

The last paragraph helped me solve the error finally. Thank you for mentioning it.