Clever Geek Handbook

Does Python use system SSL certificates?

Last week I came across a recent invalid SSL certificate Authorize.net defacle .

I was able to get curl to finally accept their certificate:

$ curl -Iv https://secure.authorize.net
...
*  SSL certificate verify ok.
...

but python still rejects it with requests:

>>> requests.get('https://secure.authorize.net', verify=True)
...
  InsecurePlatformWarning

and in my code:

File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Can anyone tell me why python doesn't seem to use system certificates for validation? Any ideas for a fix?

EDIT

I am using Ubuntu and install the certificate this way:

sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates

after running, curl worked correctly, but python still didn't recognize the certificate.

+3


source to share


1 answer


You don't specify which OS you are using or where you installed the certificates to make them available to Curl.

I have used strace

on my system to see where Python is looking for certificates. On my Fedora system, Python uses Python /etc/pki/tls/certs/ca-bundle.crt

, which is the default location on Fedora, Red Hat, and similar systems.

In Ubuntu, Python looks for /etc/ssl/certs/ca-certificates.crt

.

According to the documentation :

You can pass the path to the CA_BUNDLE file with trusted CA certificates. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.



... so you can provide your application with a list of CA certificates that is independent of what is installed on the system.

Update

Launching openssl s_client -showcerts -connect secure.authorize.net:443

shows that the certificate is *.authorize.net

signed by the "Trusted Certification Authority - L1K" certificate, which is signed by the "Trusted Root Certification Authority - G2" certificate, which is signed by the "Entrust Root" Certification Authority. The certificate you installed as entrust_ssl_ca.crt

is the "Certified Server Certified Server Entrust.net ", which is" none of the above ".

I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything but the top-level certificate in the specified chain is this one . The second certificate is listed on the download page.

+2


source






More articles:


All Articles