Develop Reference

Python suds: Getitng SSL: CERTIFICATE_VERIFY_FAILED error

I'm trying to request some data from a website using suds in Python. I'm getting urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)> while creating suds client. I do not get this error when I'm running the project locally but this issue happens when I try to deploy this project to a Linux host so that it can be automated.
One thing to note is, this python code lies behind AppProxy so that it can connect to internet. I have verified using a CURL request that the remote hosts is able to connect to the website.
I'm new to SSL Certificate thing not so sure about this certificate issue, do I need to install any server certificates on the hosts so that it can verified by SSL Validation? Any leads would be helpful. Thanks.

local issuer certificate error uniquely in docker with python

Following error occurs only with docker app in python when making request to an https url.
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)>
Outside of docker, the app works. I can fetch the same URL inside the docker image of other language app such as dotnet.
I have tried:
RUN update-ca-certificates
Install certfi library and manually supply the certificates during making the call
Manually insert the certificates that comes with certify library in different locations of docker images such as /usr/local/share/ca-certificates/, /etc/ssl/certs/ and RUN update-ca-certificates
Tried different versions (3.6.9, 3.8.4) and providers (alpine, buster, slim-buster ) of python.
Setting different env variables such as REQUESTS_CA_BUNDLE, SSL_CERT_FILE etc.
Use different libraries such as requests, urllib, urllib3
.... and really large number of different things.
It of course works when I turn the verify off, but I want to keep verification.

I was having this issue in an ARM Ubuntu 20.04 container.
I installed ca-certificates and curl, but I still couldn't use curl. For me the fix ended up being adding the following before calling curl:
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

SSL verification error in python

I am using the slackClient library to create a slack bot but I get ssl verification failed error when I use api.call() method of slack client. I was facing the same issue while using pip install but that got resolved by using --trusted-host. Is there some configuration in python required to access machine certs?
I have already imported the root cert into windows certificate manager and I am able to open the URL in browser securely without encountering message like "There is a problem with this website’s security certificate".
I do not want to disable the SSL verification
I referred to the answers given at
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
but slack client library calls urllib3 internally and I am not able to specify ca-file for it.
Is there a way to resolve this issue and configure python to use machine certs directly?

The answer seems to be to downgrade websocket-client.
Try the following:
pip3 install websocket-client==0.47.0
Source: this comment on issue

Alternative method to find if APNS certification file is valid?

I'm having problem developing a "provider" in APNS. My server is trying to send messages using apns-client, it seems there are no problems occuring while sending messages, but the device isn't receiving any messages at all.
Recently I've changed the *.pem file to a new one. Messages were properly received while using the previous *.pem file, so I'm sure that there are no problems at server connections and sending script (written in Python). The reason is, probably, because the old *.pem file is valid but the new *.pem file is not.
I strongly desire to have an "error" response from the APNS server if the *.pem file is invalid, but it seems that the APNS server or apns-client library isn't returning any error signals even if *.pem file is invalid. I've proved this fact by adding one hundred 'a's to the line before before -----END RSA PRIVATE KEY----- in *.pem, and running the same python script. Yes, it still didn't receive any error messages.
Since APNS server is returning no error messages, it's nearly impossible to check if the *.pem file is valid... Aren't there any methods to check if the *.pem file is valid?

Here's some troubleshooting info suggested by Apple:
Problems Connecting to the Push Service
One possibility is that your server is unable to connect to the push
service. This can mean that you don't have the certificate chain
needed for TLS/SSL to validate the connection to the service. In
addition to the SSL identity (certificate and associated private key)
created by Member Center, you should also install the Entrust CA
(2048) root certificate on your provider. This allows TLS/SSL to
verify the full APNs server cert chain. If you need to get this root
certificate, you can download it from Entrust's site. Also verify that
these identities are installed in the correct location for your
provider and that your provider has permission to read them.
You can test the TLS/SSL handshake using the OpenSSL s_client command,
like this:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile
server-ca-cert.pem
where server-ca-cert.pem is the Entrust CA (2048) root certificate.
Be sure the SSL identity and the hostname are the correct ones for the
push environment you're testing. You can configure your App ID in
Member Center separately for the sandbox and production environment,
and you will be issued a separate identity for each environment.
Using the sandbox SSL identity to try to connect to the production
environment will return an error like this:
CRITICAL | 14:48:40.304061 | Exception creating ssl connection to
Apple: [Errno 1] _ssl.c:480: error:14094414:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate revoked

To test you PRODUCTION cert, open Terminal and do this:
openssl s_client -connect gateway.push.apple.com:2195 -cert PushProdCer.pem -key PushProdKey.pem

I am not familiar with the python-client you are using but surely there is a way to simply attempt opening a connection with Apple's PNS servers and detecting whether that connection failed or not. If the connection fails, then something is wrong with the PEM file - either the format or the certificate values themselves.
If you want to get an error message that's a little more explicative than "pass or fail," I recommend you look into 3rd party shell scripts that can return some basic information about the PEM file. This thread contains a few sample scripts.
Of course, you can also check for some basic format validations that are widely available. I provided one such example here but there are others.

How to add client certificate using python mechanize

I am a client to a secured HTTPS server who has issued to me a password protected .pfx certificate to identify me to its system every-time. Using browser where I have installed the certificate (apparently only IE6 and previous versions works) i am able to log in and upload a file which i need to do on a daily basis. Right now am trying to write a Python script to do the same task and I am not sure if it is doable this way.
I am trying to use python mechanize library to connect to the server.
Using OpenSSL I have broken down the .pfx file into .key and .cer PEM files.
And I am using them as certificate for my python script.
Here is my code snippet
br = mechanize.Browser()
br.add_client_certificate(host,"I:/Key.key","I:/certificate.crt:")
whatever I tried it throws various SSL exception .. namely
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_PrivateKey_file
Can anyone please tell me what possibly I could be doing wrong or if at all this is not the right approach.

I was able to get rid of errors by ways described in this link.
It didn't solve my purpose though because the server I was trying to connect is a IIS based server and it only accepts .pfx certificates.