I'm trying to connect to a website that uses unofficial CA via https. For some reason it works with curl but not with python requests.
See the example below
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
What am I doing wrong? Why is it behaving differently?
--EDIT--
curl is using this cert for sure, without it curl fails
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
... it's an intermediate CA
Having only the intermediate CA in the trust store is not sufficient for validation of the certificate, at least not with the current versions of Python. This feature would require the use of the OpenSSL flag X509_V_FLAG_PARTIAL_CHAIN for verification, which is neither currently exposed by Python nor set by default.
Contrary to this curl sets this flag by default in newer versions and thus works.
Related
I have a pypi server, TLS server cert signed by self signed CA.
I added it as a source (default, secondary = false) to my toml file using
poetry source add mypypiserver https://server.url/
I added the CA cert using
poetry config certificates.mypypiserver.cert /path/to/ca.crt
When attempting to add external packages from pypi, such as matplotlib, even if I specify the source as pypi, I get an SSLError.
poetry add --source pypi matplotlib
Verbose logging tells me it tries to access /python-dateutil/ which results in a 303 redirect to https://pypi.org/simple/python-dateutil/.
Errors:
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)
HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/python-dateutil/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
I suspect this is because the certificate of pypi.org does not match the self signed CA certificate.
How can this be resolved?
When running:
import requests
requests.get("https://github.com")
I get the following error:
Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
If however i run the same command in iPython the command runs with no error.
I also checked the path to the certificate for both the notebook and iPython with:
requests.certs.where()
And the path is the same for both.
I would really appreciate any help!
I am trying to scrape data from a url using beautifulsoup. Below is my code
import requests
URL = "https://bigdataldn.com/speakers/"
page = requests.get(URL)
print(page.text)
However I am getting the following error when I run the code in google colab.
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
During handling of the above exception, another exception occurred:
MaxRetryError Traceback (most recent call last)
MaxRetryError: HTTPSConnectionPool(host='bigdataldn.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))
The above code works fine for other urls.
Can someone help me figure out how to solve this issue.
It's not your fault - their certificate chain is not properly configured. What you can do is disabling the certificate verification (you should not do this when you're handling sensitive information!) but it might be fine for a webscraper.
page = requests.get(URL, verify=False)
enter image description here
Your SSL certificate is not installed properly , you can follow godaddy ssl install instruction maybe its helpfull .
https://in.godaddy.com/help/install-my-ssl-certificate-16623?sp_hp=B&xpmst=A&xpcarveout=B
I am using the ktrain package in jupyter with code supplied from this notebook. I get an error at the line qa = text.SimpleQA(INDEXDIR). The error is long but a shortened version is as follows:
HTTPSConnectionPool(host='huggingface.co', port=443): Max retries exceeded with url: /bert-large-uncased-whole-word-masking-finetuned-squad/resolve/main/config.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
HTTPSConnectionPool(host='huggingface.co', port=443): Max retries exceeded with url: /bert-large-uncased-whole-word-masking-finetuned-squad/resolve/main/config.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))
OSError: Can't load config for 'bert-large-uncased-whole-word-masking-finetuned-squad'. Make sure that:
- 'bert-large-uncased-whole-word-masking-finetuned-squad' is a correct model identifier listed on 'https://huggingface.co/models'
- or 'bert-large-uncased-whole-word-masking-finetuned-squad' is the correct path to a directory containing a config.json file
I can access https://huggingface.co/bert-large-uncased-whole-word-masking-finetuned-squad/resolve/main/config.json on my browser. I'm quite at a loss for what to do - my coding skills are minimal at best so any and all suggestions would be much appreciated.
My guess is that your corporate intranet is inserting a "man in the middle" on all https traffic. I'm guessing the following will give you the same error right now:
import requests
requests.get('https://www.huggingface.co')
If you get a CA certificate bundle from your IT department and you are on Windows, you can try this:
import os
os.environ['REQUESTS_CA_BUNDLE'] = 'path/to/certificates_ca_bundle.crt'
qa = text.SimpleQA(INDEXDIR)
If on Linux, install the certificates using these instructions.
I'm attempting to test Tavern in our test environment. Of course, there is an invalid SSL Certificate in the test environment and this is preventing Tavern from completing a test.
The error message reads:
SSLError: HTTPSConnectionPool(host='url-to-host' port=443): Max
retires exceed with url: /folders/in/url (Caused by
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:726)'))
Is there a way to disable SSL Certificate Validation in Tavern so I can continue in our test environment?
I've just had the same issue. You can add
verify: false
to your request yaml.