I'm trying to use imaplib.IMAP4_SSL function but I'm stuck with this error:
[Errno 336265225] _ssl.c:356: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
try:
mail = imaplib.IMAP4_SSL(host='imap.gmail.com', port="993", certfile="certIMAP.pem")
except Exception as e:
print e
sys.exit()
The certificate has been downloaded with:
echo | openssl s_client -connect imap.gmail.com:993 2>/dev/null | openssl x509 > certIMAP.pem
Permission on the file are ok.
If I use the keyfile option, they ask me the cert, and then the same error is obtained.
I could not find example for this function with cert specification.
Thank you.
While it is not obvious from the documentation I would suggest that the parameters certfile and keyfile are not used to verify the servers certificate (that's how you use it - and keyfile would not make any sense here) but are the optional certificate for the client and it's private key, which some server might require to identify the client (e.g. instead or additionally to password).
To verify the server you usually have something called CA file or CA path (CA = certificate agency) and you don't need a private key here. There seem to be no obvious way for given the CA certificates here, but Certificate Authority for imaplib and poplib python might help you with this.
Related
This code
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
is giving me this error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?
As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:
This server's certificate chain is incomplete. Grade capped to B.
This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:
requests.get("https://...", verify='my_trust_store.pem')
... but I've tried downloading the site's certificate and pointing to that file using the verify option
This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.
cat institution-certificate.pem >> venv/lib/python3.9/site-packages/certifi/cacert.pem
This should solve the problem if your network requires a CA
using the certifi doesn't seem to be implied, so i'll show you what made my solution:
import urllib, urllib2, ssl
import certifi
request = urllib2.Request(url=url)
kw = dict()
if url.startswith('https://'):
certifi_context = ssl.create_default_context(cafile=certifi.where())
kw.update(context=certifi_context)
urllib2.urlopen(request, **kw)
i found this solution and more on RealPython, here
If you can avoid the certificate verification (not secure), set PYTHONHTTPSVERIFY environment variable to 0:
export PYTHONHTTPSVERIFY=0
This will skip the certificate verification.
import requests
html = requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx",verify=False).text
You should write it like this, and I've verified it
This code
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
is giving me this error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?
As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:
This server's certificate chain is incomplete. Grade capped to B.
This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:
requests.get("https://...", verify='my_trust_store.pem')
... but I've tried downloading the site's certificate and pointing to that file using the verify option
This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.
cat institution-certificate.pem >> venv/lib/python3.9/site-packages/certifi/cacert.pem
This should solve the problem if your network requires a CA
using the certifi doesn't seem to be implied, so i'll show you what made my solution:
import urllib, urllib2, ssl
import certifi
request = urllib2.Request(url=url)
kw = dict()
if url.startswith('https://'):
certifi_context = ssl.create_default_context(cafile=certifi.where())
kw.update(context=certifi_context)
urllib2.urlopen(request, **kw)
i found this solution and more on RealPython, here
If you can avoid the certificate verification (not secure), set PYTHONHTTPSVERIFY environment variable to 0:
export PYTHONHTTPSVERIFY=0
This will skip the certificate verification.
import requests
html = requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx",verify=False).text
You should write it like this, and I've verified it
This code
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
is giving me this error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?
As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:
This server's certificate chain is incomplete. Grade capped to B.
This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:
requests.get("https://...", verify='my_trust_store.pem')
... but I've tried downloading the site's certificate and pointing to that file using the verify option
This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.
cat institution-certificate.pem >> venv/lib/python3.9/site-packages/certifi/cacert.pem
This should solve the problem if your network requires a CA
using the certifi doesn't seem to be implied, so i'll show you what made my solution:
import urllib, urllib2, ssl
import certifi
request = urllib2.Request(url=url)
kw = dict()
if url.startswith('https://'):
certifi_context = ssl.create_default_context(cafile=certifi.where())
kw.update(context=certifi_context)
urllib2.urlopen(request, **kw)
i found this solution and more on RealPython, here
If you can avoid the certificate verification (not secure), set PYTHONHTTPSVERIFY environment variable to 0:
export PYTHONHTTPSVERIFY=0
This will skip the certificate verification.
import requests
html = requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx",verify=False).text
You should write it like this, and I've verified it
I want to connect to a SOAP API that does not have WSDL in Python. To connect I need to a add a SSL certificate and authenticate afterwards.
from pysimplesoap.client import SoapClient, SimpleXMLElement
cacert = open(path, 'rb').read() # read the certificate
header = SimpleXMLElement('<Header/>')
credentials = header.add_child('Credentials')
credentials.marshall('Password', 'password')
credentials.marshall('Username', 'username')
client = SoapClient(
location="https://mytest.com/Services/",
cacert=cacert)
client['Header'] = header
client.action = "https://mytest.com/Services/Action1"
client.Action1() # gives SSL error
The result I receive is a SSL error:
SSLHandshakeError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone, please, tell me how to solve this issue? Or can you advise any other library I can use. Most SOAP libraries I found offer connection only to WSDL.
Usually in a pfx file there is the client certificate with key, not the CA file. The libraries seems to expect the client certificate as PEM. You should extract the certificate and the key as show in https://stackoverflow.com/a/9516936/3929826.
Then hand it in to the SoapClient() initiation as cert and key_file argument:
client = SoapClient(location="https://mytest.com/Services/",
cert='mycert.pem',
key_file='mycert.key)
It should also be possible to put both into the cert file.
If that still does not work your have to add the CA certificate as the cacert parameter after you retrieved it as described in https://stackoverflow.com/a/7886248/3929826 .
For further reference see the source code of simplesoap: https://code.google.com/p/pysimplesoap/source/browse/pysimplesoap/client.py#75 .
My apache ssl conf has the following configs
# Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
I do not have the CA certificates for this server. Can I still install the localhost.crt into my clients to successfully verify my server?
On the client:
I am using Python requests library (2.2.1). The default CA BUNDLE path is used. Even when I add the localhost.crt to the cacert.pem in the default path, I am unable to see the verification go through. I see the exception:
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Am I doing anything wrong? Should I only add the CA who signed the localhost.crt in the server?
Thanks,
Vijay
If you provided code and be more clear on what you're doing then you'd get a good answer.
If you want don't want to get the error even if you use an invalid certificate then try the verify=False attribute.
>>> requests.get('https://kennethreitz.com', verify=False)
If you want to use a custom certificate, then place the certificate in the script folder and use the cert=('/path/client.cert', '/path/client.key') argument.
>>> requests.get('https://kennethreitz.com', cert=('/path/client.cert', '/path/client.key')).
For more info read the docs.python-requests.org/en/master/user/advanced/ site