-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Having trouble with SSL verification #4247
Comments
So there are a number of issues here, but the core problem is that your server is not sending a TLS cert chain that makes any sense at all. From your OpenSSL output, the server is sending two certs:
The way the cert chain is supposed to work is that you send all the certificates needed to build the trust chain except for the root: that is, you send the leaf, the intermediate that issued the leaf, the intermediate that issued that intermediate, and so on, ending with the intermediate that was issued by the root. Your cert chain does not do that. It sends only two certs, and the second appears to be totally unrelated to the first! It certainly didn't issue it. Either an intermediate is missing (that should go between the two certs your server sent), or you are sending a chain for a different certificate. Either way, adding the missing intermediate to the trust store should fix the problem. As should fixing the server so it sends the right cert! 😉 |
Thank you! |
Preface: I have a feeling that this isn't an issue with requests itself, but it did up come while I was using it, so I was hoping that you could offer some insight. This issue might even be the same one that hellt had in #3212 , but there are a few differences that made me uncertain whether that is actually the case. My apologies if it's a duplicate.
The error in question:
Looking at the Apache config, an SSLCertificateFile, an SSLCertificateKeyFile, and an SSLCertificateChainFile are specified. The above uses the SSLCertificateChainFile (DigiCertCA.crt) in the verify parameter, though both True and the SSLCertificateFile throw the same exact error. I tried appending those two files to a copy of the file given by
certifi.where()
(named cacert.pem) as seems to be suggested in the linked issue, but it also throws the same error.Versions:
This is the result of running
openssl s_client -connect my_host:443 -showcerts -servername my_host
, HOWEVER, I later ran openssl version and got OpenSSL 0.9.8za 5 Jun 2014; this isn't the version Python is using:But specifying -CAfile with the SSLCertificateFile, DigiCertCA.crt, or cacert.pem returns '0 (ok)':
Now for the output of the OpenSSL version that Python is actually using:
(One difference I noticed was "Server Temp Key: DH, 1024 bits")
The reason I included the outputs of both versions of
openssl
is because the version Python is using always seems to return 21, even when-CAfile
is specified.I tried compiling Python with the other version of OpenSSL, but ran into issues, so I figured I should ask if that has a good chance of fixing my problem before continuing.
Expected Result
A GET request should be made and retrieve some data. This does work with
verify=False
.Actual Result
Request seems to fail verifying the certificate.
System Information
The text was updated successfully, but these errors were encountered: