Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CERTIFICATE_VERIFY_FAILED with python-requests 2.8.1 and curl, but works in browsers #2959

Closed
progval opened this issue Jan 5, 2016 · 2 comments
Closed

CERTIFICATE_VERIFY_FAILED with python-requests 2.8.1 and curl, but works in browsers #2959

progval opened this issue Jan 5, 2016 · 2 comments

Comments

@progval
Copy link

progval commented Jan 5, 2016 

$ python3
Python 3.4.2 (default, Oct  8 2014, 10:45:20) 
[GCC 4.9.1] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get('https://irestos.nuonet.fr/generation.php?crous=21&resto=351&ext=xml')
Traceback (most recent call last):
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
    body=body, headers=headers)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 782, in _validate_conn
    conn.connect()
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/connection.py", line 250, in connect
    ssl_version=resolved_ssl_version)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/util/ssl_.py", line 285, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.4/ssl.py", line 364, in wrap_socket
    _context=self)
  File "/usr/lib/python3.4/ssl.py", line 577, in __init__
    self.do_handshake()
  File "/usr/lib/python3.4/ssl.py", line 804, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/progval/.local/lib/python3.4/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/home/progval/.local/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 588, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/progval/.local/lib/python3.4/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/home/progval/.local/lib/python3.4/site-packages/requests/adapters.py", line 433, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
>>> requests.__version__
'2.8.1'

curl and openssl's CLI have the same issue:

$ curl https://irestos.nuonet.fr/generation.php\?crous\=21\&resto\=351\&ext\=xml
curl: (60) SSL certificate problem: unable to get local issuer certificate

$ openssl s_client -connect irestos.nuonet.fr:443             
CONNECTED(00000003)
depth=0 C = FR, ST = Picardie, L = AMIENS, O = CROUS d'Amiens-Picardie, OU = CROUS, CN = irestos.nuonet.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Picardie, L = AMIENS, O = CROUS d'Amiens-Picardie, OU = CROUS, CN = irestos.nuonet.fr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = FR, ST = Picardie, L = AMIENS, O = CROUS d'Amiens-Picardie, OU = CROUS, CN = irestos.nuonet.fr
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
 0 s:/C=FR/ST=Picardie/L=AMIENS/O=CROUS d'Amiens-Picardie/OU=CROUS/CN=irestos.nuonet.fr
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3

---
Server certificate
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
subject=/C=FR/ST=Picardie/L=AMIENS/O=CROUS d'Amiens-Picardie/OU=CROUS/CN=irestos.nuonet.fr
issuer=/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3

---
No client certificate CA names sent

---
SSL handshake has read 2022 bytes and written 421 bytes

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F603E70CBC9F7B2B5033280D6F72334EC63FA7F727464620B4790BA477556B25
    Session-ID-ctx: 
    Master-Key: C912001D02A8076AB864D9D51B2A056F76B49CD27B8A29EB7632EBA3EBB4124B1F908FAAF7CFE05028C51DAA07658762
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 46 7b 46 24 40 2f 6d ed-51 8c 7c e9 29 0a 55 99   F{F$@/m.Q.|.).U.
    0010 - 20 61 4b 43 2a 9f 9e f8-15 0a 63 b3 e5 e7 20 75    aKC*.....c... u
    0020 - d5 51 5c 8a 7b 26 cd 32-02 83 69 e6 ef 06 0d c6   .Q\.{&.2..i.....
    0030 - 8a 35 40 82 d5 1b d3 c4-3e 57 dd 98 4d 29 f0 2d   .5@.....>W..M).-
    0040 - ed 62 d0 a5 ec 0e 41 1c-d4 61 e9 a2 d6 8f 2e 3e   .b....A..a.....>
    0050 - 29 a6 1e 83 43 40 4a 36-ac 01 6f f3 2f 6b e9 49   )...C@J6..o./k.I
    0060 - b7 05 44 ff 57 5a e3 c6-8d 93 25 d1 ed 3f 7d 48   ..D.WZ....%..?}H
    0070 - 8b dd 1b 3e f7 0f 36 3f-54 6a ac 36 8f a1 c0 97   ...>..6?Tj.6....
    0080 - ee ff 80 bf 52 a8 61 c3-e5 71 1e 4e 51 e3 d7 1f   ....R.a..q.NQ...
    0090 - 83 a3 f6 d1 79 9b e8 b4-b9 e7 d7 e0 d1 b4 1e e0   ....y...........
    00a0 - 28 88 e0 5b e6 67 bd e1-96 50 5a 48 13 05 de b1   (..[.g...PZH....
    00b0 - 28 0b 1d e6 dd e1 d2 2f-8e 45 73 a7 8c 06 f7 47   (....../.Es....G

    Start Time: 1451986602
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

---

But the same URL works fine with Firefox 43 and Chromium 47.0.2526.80.

System: Debian 8.2 (Jessie)
@Lukasa
Copy link
Member

Lukasa commented Jan 5, 2016

This is almost certainly because the site is not sending its intermediate certificates.

Generally, when configuring a site for TLS, the site author should ensure that the TLS handshake sends both the leaf certificate (the one valid for that site) and any intermediate certificates between the leaf and the root. This is because clients may not have an up to date list of all the intermediate certificates in the world, and it's generally unwise to assume that they do. This does cause problems in some browsers: for example, Firefox 43 on my Mac also fails to validate the certificate chain.

Are you able to contact the administrator of the server?

@progval
Copy link
Author

progval commented Jan 5, 2016

I will try. Thanks for the help.

(Closing the issue, as it is not a problem in requests)

@progval progval closed this as completed Jan 5, 2016
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@progval @Lukasa