SSLCertVerificationError: certificate has expired

[TDmig]

Today suddenly my bot can't be launched from Windows. As I see this problem is not in my code completely so I messaging here and to Discord Support.

Traceback (most recent call last):
  File "...\lib\site-packages\aiohttp\connector.py", line 936, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)  # type: ignore  # noqa
  File "...\lib\asyncio\base_events.py", line 1050, in create_connection
    transport, protocol = await self._create_connection_transport(
  File "...\lib\asyncio\base_events.py", line 1080, in _create_connection_transport
    await waiter
  File "...\lib\asyncio\sslproto.py", line 529, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "...\lib\asyncio\sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "...\lib\ssl.py", line 944, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1108)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  ...
  File "...", line 46, in main
    client.run(t)
  File "...\lib\site-packages\discord\client.py", line 640, in run
    return future.result()
  File "...\lib\site-packages\discord\client.py", line 621, in runner
    await self.start(*args, **kwargs)
  File "...\lib\site-packages\discord\client.py", line 584, in start
    await self.login(*args, bot=bot)
  File "...\lib\site-packages\discord\client.py", line 442, in login
    await self.http.static_login(token.strip(), bot=bot)
  File "...\lib\site-packages\discord\http.py", line 261, in static_login
    data = await self.request(Route('GET', '/users/@me'))
  File "...\lib\site-packages\discord\http.py", line 165, in request
    async with self.__session.request(method, url, **kwargs) as r:
  File "...\lib\site-packages\aiohttp\client.py", line 1012, in __aenter__
    self._resp = await self._coro
  File "...\lib\site-packages\aiohttp\client.py", line 480, in _request
    conn = await self._connector.connect(
  File "...\lib\site-packages\aiohttp\connector.py", line 523, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "...\lib\site-packages\aiohttp\connector.py", line 858, in _create_connection
    _, proto = await self._create_direct_connection(
  File "...\lib\site-packages\aiohttp\connector.py", line 1004, in _create_direct_connection
    raise last_exc
  File "..\lib\site-packages\aiohttp\connector.py", line 980, in _create_direct_connection
    transp, proto = await self._wrap_create_connection(
  File "...\lib\site-packages\aiohttp\connector.py", line 938, in _wrap_create_connection
    raise ClientConnectorCertificateError(
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host discordapp.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1108)')]

Checklist

• I have searched the open issues for duplicates.
• I have shown the entire traceback, if possible.
• I have removed my token from display, if visible.

System Information

• Python v3.8.2-final
• discord.py v1.3.3-final
• aiohttp v3.6.2
• websockets v8.1
• system info: Windows 8.1 6.3.9600

About

Problem with certification probably on Discord side, but discord.py still tries to access discordapp, so maybe it can be problem. Also I am looking for solution.

Also it is not only my issue. here is stackoverflow question about it.

[Rapptz]

A root certificate expired today on the Windows chain. Chances are there'll be an update soon to fix it on Windows.

https://crt.sh/?id=1

[yunolawliet]

Windows:

1. Go to start, type internet explorer. Run as admin.
2. Go do https://discord.com click on the padlock icon.
3. Click view certificates
4. Click install certificates, choose either user or local machine.
5. Click Place all certificates in the following store
6. Choose Trusted Root Certification Authorities
7. Enjoy.

[mikeshardmind]

Click Place all certificates in the following store
Choose Trusted Root Certification Authorities

Please don't recommend for users to manually add certs not issued with the intention of being used as a root CA as a trustable entity to the trusted root CA store. This will appear to fix the connection issue but has massive security implications beyond that. The trusted root authorities should not be modified in this way.

[Astraea0]

I generally agree with the above, however I'd like to point out that Sectigo, the root Certificate Authority in this case, released 4 "modern" certificates that should be installed. You can find more information in their release about this expiration here: https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

In my case only 3 of the modern certs were installed and I was missing the COMODO ECC Certification Authority root cert. This just so happens to be the root of the cert issued by Cloudflare for Discord.com this morning. Per that link from Sectigo, I was able to obtain the certificate by going to https://crt.sh/?id=2835394. There is a small link on the left side of the page that says "Download Certificate: PEM". This is a site operated by Sectigo.

My guess is that either MS or Sectigo screwed up here and somehow this 1 of 4 certs did not get included into some kind of update. After installing this certificate I'm back up and running just fine.

[Richie-Moon]

Has Windows released the update yet?

[Astraea0]

Per Microsoft this root certificate should be included in Win10. Here's a page about the Microsoft Root Certificate Program: https://docs.microsoft.com/en-us/security/trusted-root/program-requirements

And here's a list of current participants (as of June 4th 2020): https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT

Note the inclusion of the certificate I was missing above with a Ctrl-F of "COMODO ECC Certification Authority". I'm not sure if this was just added or has been in Win10 for a while. I was certainly missing it.

EDIT: Per the release notes from 03/06/2019 here: https://docs.microsoft.com/en-us/security/trusted-root/mar2019
The friendly names of all of these certificates changed at that time. It doesn't say what they changed to but we can match up the SHA-1 hash from "COMODO \ 9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311" on that page to the same one from this link: https://crt.sh/?id=2835394

So these certs have been around a while. I'm not sure why my machine was missing them as I'm running Win10 Enterprise Build 19041.264 and I ran a Windows update prior to researching any of this.

[SeregonPyblaiqual]

Hello, I've got the same issue, i tried everything but nothing has worked. I finally solved it; I've removed old certificates and reloaded the bot. https://www.thesslstore.com/blog/how-to-remove-a-root-certificate/. If it can help someone...

[reinitd]

Where do I save the certs?

[reinitd]

I also found the old certificate that I'm pretty sure is causing the problem. "AddTrust External CA Root" What do I do with it?

[AbstractUmbra]

The method that has had success in the help channels is the following:

Download the required certificate manually: https://crt.sh/?id=2835394
The above link is provided by Sectigo.
This is where the actual download button is.

Once it has downloaded, double click it to install it. I believe installing it to the local computer and not the running user is the correct way to proceed, correct me if I am wrong there.

[furkanu]

The method that has had success in the help channels is the following:

Download the required certificate manually: https://crt.sh/?id=2835394
The above link is provided by Sectigo.
This is where the actual download button is.

Once it has downloaded, double click it to install it. I believe installing it to the local computer and not the running user is the correct way to proceed, correct me if I am wrong there.

So, is it safe to apply this?
no security implications as @mikeshardmind mentioned?

[AbstractUmbra]

The certificate above comes from Sectigo themselves. You can run your own analysis of it if you like prior to installing. I can confirm this has fixed the issue for many users and afaik Windows has still not released an update to update their trust store.

[mikeshardmind]

no security implications as @mikeshardmind mentioned?

The security implications I mentioned were for just adding all the certs showing on a page as someone before me had suggested. There are still other security implications to adding the cert, but these are implications of trust. There is a potential break in a chain of trust here, use at your own risk as an informed decision. I can say that the cert as I saw on my machine was fine, but it is possible for a compromise to happen in delivering that, so verify. The other reason which I would not endorse one of these methods publicly on an issue like this is that most of the people with the issue will not verify, and just run something to fix it.

[Lutrome]

@mikeshardmind So what do you suggest we do? I'd rather not introduce this kind of potential security breach, but I'd also like to get my bot up ASAP.

[SeregonPyblaiqual]

I can suggest you to remove all your old certificates (especially the one that discordapp.com uses [https://crt.sh/?id=1]) and try again... However i don't know if it makes security breach...

[AbstractUmbra]

There is no security implications if you use the specific certificate I linked earlier in this thread. Some common sense applies that you should not install anything you don't need / won't use, meaning just that one certificate should suffice.
Again as I stated before, this is from Sectigo themselves, so if/when Windows releases their Trust Store update, it's just going to download this exact certificate anyway.

As for the status on the pending update Windows still has to issue: no sign of it yet.

[metiuu]

Hi,
I'm also having this issue. I tried to fix it by following the instructions here, but no luck so far. This is a wild guess, but is it possibly because Discord recently moved domains from discordapp.com to discord.com?

If that's the case, how do we alter the script so that our code connects to discord.com? I apologize if my question is stupid as I'm a student learning this on my own free time. Thank you!

[SeregonPyblaiqual]

The problem isn't this; it is because the certificate has expired... Did you try downloading the new certificate or removing the old one and going on discordapp.com on internet explorer?

[AbstractUmbra]

Did you _install_ the certificate to 'local computer' after downloading it? I believe there's a link further up with the 'why it happened'.

…

On Thu, 18 Jun 2020, 08:51 metiuu, ***@***.***> wrote: Hi, I'm also having this issue. I tried to fix it by following the instructions here, but no luck so far. This is a wild guess, but is it possibly because Discord recently moved domains from discordapp.com to discord.com? If that's the case, how do we alter the script so that our code connects to discord.com? I apologize if my question is stupid as I'm a student learning this on my own. Thank you! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#4159 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD2J7ZHTBWYYW7NR5G6LN3DRXHBPHANCNFSM4NOZMZIA> .

[metiuu]

The problem isn't this; it is because the certificate has expired... Did you try downloading the new certificate or removing the old one and going on discordapp.com on internet explorer?

Hi, it was my error. I installed the cert manually on the user and not the local machine. The issue is solved now and I can continue working on my self-study project. Sorry for the inconveniencec and stupid question.

[kazuichisouda]

Uh, i've also been experiencing this problem, but the links provided don't seem to load and Internet Explorer doesn't work on my computer. If I try and run it, it's just all white and then crashes.

[Rapptz]

I believe the core issue is based off of OpenSSL versions being distributed with Python which is why only a minority of people have this issue. If OpenSSL is above 1.1.0 then this should not be happening. However I'm unsure how OpenSSL versions are bundled on Windows distributions to cause such discrepancies. For now, I'll close this issue since there are numerous workarounds provided.

[Wingfooted]

I am having a similar problem, it is not the #423 one, but this one. I don't see a fix for Mac and all the advice so far is for windows. Any help?

Thanks in advance.

[bijij]

I am having a similar problem, it is not the #423 one, but this one. I don't see a fix for Mac and all the advice so far is for windows. Any help?

If you're on macOS you'll want to go into the python 3.x folder in your Applications and double click Install Certificates.command

[arnavsiva]

Windows:

1. Go to start, type internet explorer. Run as admin.
2. Go do https://discord.com click on the padlock icon.
3. Click view certificates
4. Click install certificates, choose either user or local machine.
5. Click Place all certificates in the following store
6. Choose Trusted Root Certification Authorities
7. Enjoy.

It still didn't work, does anyone know why?

[Kle0s]

Windows:

1. Go to start, type internet explorer. Run as admin.
2. Go do https://discord.com click on the padlock icon.
3. Click view certificates
4. Click install certificates, choose either user or local machine.
5. Click Place all certificates in the following store
6. Choose Trusted Root Certification Authorities
7. Enjoy.

It still didn't work, does anyone know why?

After working on it for a few hours, here's what i came up with:

1. go to this link: https://crt.sh/?id=2835394&opt=cablint,zlint
2. click on the PEM (next to download certificate).
3. install the certificate (I did it for current user, but you might as well do it for local machine)

This fixed it for me, hope it will help everyone still looking for a solution :)

[flowl]

I am pretty sure this all is due to misconfiguration of the infrastructure on discord side (intermediate certificate not always present in the chain or something like that), because even the discord app itself is throwing certificate errors every day which are resolved after restarting discord.

[gogurtenjoyer]

Hi,
Your posted traceback is actually from MacOS, not Ubuntu Server ... in addition, your error is not the same as that of this (closed) issue. On MacOS, you'll find a script called 'Install Certificates.command' in your Python folder in Applications - have you run this?

[cedrick7]

If you're using macOS go to Macintosh HD > Applications > Python3.X folder (X = whatever version of python you're using) > double click on "Install Certificates.command" and the issue went away!

[Akanate]

Im using ubuntu and im getting this exact error this install script that everyone keeps mentioning doesnt work at all for me any help would be massively appreciated.

[MIvanchev]

Here is a solution which doesn't compromise the security of the entire system, but is of course a TOTAL HACK and I hereby inform you that you alone bear the full responsibility for any damage that occurs from using it. It basically tells your bot to not use the certificates known to your OS but instead others which you download manually.

1. Open https://discord.com/ in Firefox, Chrome or whatever other browser. Download the whole certificate chain (PEM file). It's important that you get the whole chain. You can also use curl.

2. You'll need to modify the source of the discord.py module so I recommend to install it in the virtual environment of your bot (through pipenv) so your main Python installation is unaffected. But it doesn't really matter because you use the module only for your bots.

3. Open the file http.py of the module.

4. Add import ssl to the beginning of the file.

5. Add the following line to HTTPClient.__init__ method, the position is not relevant, I added it right after self.use_clock = not unsync_clock:

self.ssl_ctx = ssl.create_default_context(cafile='<full path to the downloaded PEM file>')

6. Insert the line:

kwargs['ssl'] = self.ssl_ctx

before each of the source lines:

https://github.com/Rapptz/discord.py/blob/master/discord/http.py#L132
https://github.com/Rapptz/discord.py/blob/master/discord/http.py#L185

7. Run your bot.

8. If the chain is not enough, you can download the whole CRT file of Firefox (https://curl.se/docs/caextract.html) and try that instead of the PEM file.

[CSAapps]

https://stackoverflow.com/a/62104752/13396193 this method solved my problem

[flowl]

The certificate problems appeared only temporary to me and should be resolved by a long time.
If you have a normal windows, linux or macos system with UPDATES enabled, this problem should no longer appear to you.
Instead of hacking into the discord client or manually installing certificates, properly update your core system and you have no problems with certificates.

[XxMicrowavexX]

https://stackoverflow.com/a/62104752/13396193 this method solved my problem

is there a macos version

also the Install certificate.command has no impact on the system

[ghost]

Windows:

1. Go to start, type internet explorer. Run as admin.
2. Go do https://discord.com click on the padlock icon.
3. Click view certificates
4. Click install certificates, choose either user or local machine.
5. Click Place all certificates in the following store
6. Choose Trusted Root Certification Authorities
7. Enjoy.

how does this work on Mac?

[SebbyLaw]

Please stop necrobumping this issue.

If your issue is the same as the one outlined above: Cannot connect to host discordapp.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1108)')] the solutions have already been posted in this thread.

Windows: #4159 (comment)
Mac: #4159 (comment)

[XxMicrowavexX]

Cannot connect to host discord.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL:CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')]
this is my error

[XxMicrowavexX]

https://stackoverflow.com/a/62104752/13396193 this method solved my problem

is there a macos version

also the Install certificate.command has no impact on the system

sorry i meant INstall certificate gives me an error

[flowl]

It doesn't make sense having to download a public key/cert that is already in every keystore. When the certificate is expired, Discord officials need to renew or get rid of the outdated cert. I am unsubscribing from this thread as there are no new questions or answers other than from people with badly configured computers.