I have created a Python application and am packaging it with PyInstaller. On my own computer, I have configured my own trust store CA bundle to include my company's proxy based on Self-Signed Certificate Authorities pip / conda but I don't understand how to bring that into the PyInstaller executable so it works on other people's computers who have not configured their own trust store CA bundle.
The error I get is [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain
I am using PyInstaller 5.7.0 (with --onefile option), certifi 2022.12.7, and Python 3.8. This is primarily a dash application (2.7.1). First, the user selects a ZIPcode and I use uszipcode (version 0.2.6) to get information on that ZIPcode. That is where the error first occurs.
The application runs correctly when disconnected from the VPN. When I generate the executable, I use the --add-data flag to include cacert.pem from the certifi Python package. I tried manually adding my company's cert to the cacert.pem but it will get overwritten if I update certifi.
Where should I add in my company's SSL certificate so users don't have to disconnect from the VPN to use the application?
I am running a localhost application on flask. I created a self signed certificate and imported it to the trusted root certification authorities in google chrome. Below are images showing after effect of trusting these certificates. However, whenever i browse to the localhost site, i am still met with the not secure tag.
I am running python 3.9.1 I have some Django Admin Actions which create and then download some PDFs. When running this on my local machine (Windows 10) I have recently started getting the following error message:
SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1123)
Any ideas on how I can deal with this? The Django app works perfectly on the server, the problem is only on my local host.
In my case, I was interacting with IoT (Internet of Things) device APIs and had a LetsEncrypt certificate that expired. I downloaded the new LetsEncrypt cert at: https://valid-isrgrootx1.letsencrypt.org/
More explanation:
My error occurred on a Windows Python client requesting API information from an IoT web server. I determined which client certificate was expired by viewing existing certificates dates in Windows:
Open Powershell as admin, then: Get-Childitem cert:\LocalMachine\root |format-list
The expired cert was owned by LetsEncrypt. More information about the expired cert: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/.
In my case, the LetsEncrypt root certificate expired at the end of September and was replaced with the newer cert going forward. To implement the new cert, visit any webpage that uses that certificate from your failing client. In the case of LetsEncrypt, visit their cert demo page at: https://valid-isrgrootx1.letsencrypt.org/, and your certificate store will update automatically.
I am trying to connect to S3 using boto, but it seems to fail. I've tried some workarounds, but they don't seem to work. Can anyone please help me with this. Below is the code.
import boto
if not boto.config.has_section('Credentials'):
boto.config.add_section('Credentials')
boto.config.set('Credentials', 'aws_access_key_id', AWS_KEY)
boto.config.set('Credentials', 'aws_secret_access_key', AWS_SECRET_KEY)
if not boto.config.has_section('Boto'):
boto.config.add_section('Boto')
boto.config.set('Boto', 'https_validate_certificates', 'False')
boto.config.add_section('aws info')
boto.config.set('aws info','aws_validate_certs','False')
s3 = boto.connect_s3(validate_certs=False)
bucket = s3.get_bucket(Bucket_NAME)
Probably your bucket name contains a dot, that's why ssl certificate verification fails. This is quite a frequent problem, see this github issue for example.
Don't use an insecure connection (is_secure=False), instead use OrdinaryCallingFormat:
import boto
conn = boto.s3.connect_to_region('eu-west-1', calling_format=boto.s3.connection.OrdinaryCallingFormat())
bucket = conn.get_bucket(your_bucket)
You probably need to update your AWS Region, e.g. us-east-1
In boto3, if you are using the s3 client, use verify=False when creating the s3 client.
For eg:
s3 = boto3.client('s3', verify=False)
As mentioned on boto3 documentation, this only turns off validation of SSL certificates. SSL will still be used (unless use_ssl is False), but SSL certificates will not be verified.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html
I found a way,
used is_secure=False in connect_s3().
I encounter this problem, too. My environment is Ubuntu 15.04, Python 2.7.9 and Boto 2.38.0.
Setting the argument validate_certs=False doesn't make it work with the HTTPS connection without valid certificate. After reading the code of boto, I found that it's a behavior of Python's ssl modules. Then I found a solution here: "SSL: CERTIFICATE_VERIFY_FAILED" Error. And the solution does work!!!.
add verify=False
boto3.resource(
"s3",
endpoint_url=<URL>,
aws_access_key_id=<ID>,
aws_secret_access_key=<Key>,
verify=False
)
macOS users: If you are using the Python 3.6 from the python.org
binary installer linked on this page, please carefully read the
Important Information displayed during installation; this information
is also available after installation by clicking on
/Applications/Python 3.6/ReadMe.rtf. There is important information
there about changes in the 3.6.0 installer-supplied Python,
particularly with regard to SSL certificate validation.
https://www.python.org/downloads/release/python-360/
From ReadMe.rtf at the time of this writing:
Certificate verification and OpenSSL
NEW This variant of Python 3.6 now includes its own private copy of OpenSSL 1.0.2. Unlike previous releases, the deprecated
Apple-supplied OpenSSL libraries are no longer used. This also means
that the trust certificates in system and user keychains managed by
the Keychain Access application and the security command line utility
are no longer used as defaults by the Python ssl module. For 3.6.0, a
sample command script is included in /Applications/Python 3.6 to
install a curated bundle of default root certificates from the
third-party certifi package (https://pypi.python.org/pypi/certifi).
If you choose to use certifi, you should consider subscribing to the
project's email update service to be notified when the certificate
bundle is updated.
The bundled pip included with the Python 3.6 installer has its own
default certificate store for verifying download connections.
Office laptops usually have network monitors installed. Figured out that it was the network monitoring software interfering with python, not letting it verify ssl certs of aws. We had to import its's cert(got from office) onto python's cacert.pem file, then it started working fine.
I'm having problem developing a "provider" in APNS. My server is trying to send messages using apns-client, it seems there are no problems occuring while sending messages, but the device isn't receiving any messages at all.
Recently I've changed the *.pem file to a new one. Messages were properly received while using the previous *.pem file, so I'm sure that there are no problems at server connections and sending script (written in Python). The reason is, probably, because the old *.pem file is valid but the new *.pem file is not.
I strongly desire to have an "error" response from the APNS server if the *.pem file is invalid, but it seems that the APNS server or apns-client library isn't returning any error signals even if *.pem file is invalid. I've proved this fact by adding one hundred 'a's to the line before before -----END RSA PRIVATE KEY----- in *.pem, and running the same python script. Yes, it still didn't receive any error messages.
Since APNS server is returning no error messages, it's nearly impossible to check if the *.pem file is valid... Aren't there any methods to check if the *.pem file is valid?
Here's some troubleshooting info suggested by Apple:
Problems Connecting to the Push Service
One possibility is that your server is unable to connect to the push
service. This can mean that you don't have the certificate chain
needed for TLS/SSL to validate the connection to the service. In
addition to the SSL identity (certificate and associated private key)
created by Member Center, you should also install the Entrust CA
(2048) root certificate on your provider. This allows TLS/SSL to
verify the full APNs server cert chain. If you need to get this root
certificate, you can download it from Entrust's site. Also verify that
these identities are installed in the correct location for your
provider and that your provider has permission to read them.
You can test the TLS/SSL handshake using the OpenSSL s_client command,
like this:
$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
YourSSLCertAndPrivateKey.pem -debug -showcerts -CAfile
server-ca-cert.pem
where server-ca-cert.pem is the Entrust CA (2048) root certificate.
Be sure the SSL identity and the hostname are the correct ones for the
push environment you're testing. You can configure your App ID in
Member Center separately for the sandbox and production environment,
and you will be issued a separate identity for each environment.
Using the sandbox SSL identity to try to connect to the production
environment will return an error like this:
CRITICAL | 14:48:40.304061 | Exception creating ssl connection to
Apple: [Errno 1] _ssl.c:480: error:14094414:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate revoked
To test you PRODUCTION cert, open Terminal and do this:
openssl s_client -connect gateway.push.apple.com:2195 -cert PushProdCer.pem -key PushProdKey.pem
I am not familiar with the python-client you are using but surely there is a way to simply attempt opening a connection with Apple's PNS servers and detecting whether that connection failed or not. If the connection fails, then something is wrong with the PEM file - either the format or the certificate values themselves.
If you want to get an error message that's a little more explicative than "pass or fail," I recommend you look into 3rd party shell scripts that can return some basic information about the PEM file. This thread contains a few sample scripts.
Of course, you can also check for some basic format validations that are widely available. I provided one such example here but there are others.