Does Python use system SSL certificates?
Last week I came across a recent invalid SSL certificate Authorize.net defacle .
I was able to get curl to finally accept their certificate:
$ curl -Iv https://secure.authorize.net
...
* SSL certificate verify ok.
...
but python still rejects it with requests:
>>> requests.get('https://secure.authorize.net', verify=True)
...
InsecurePlatformWarning
and in my code:
File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone tell me why python doesn't seem to use system certificates for validation? Any ideas for a fix?
EDIT
I am using Ubuntu and install the certificate this way:
sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates
after running, curl worked correctly, but python still didn't recognize the certificate.
source to share
You don't specify which OS you are using or where you installed the certificates to make them available to Curl.
I have used strace
on my system to see where Python is looking for certificates. On my Fedora system, Python uses Python /etc/pki/tls/certs/ca-bundle.crt
, which is the default location on Fedora, Red Hat, and similar systems.
In Ubuntu, Python looks for /etc/ssl/certs/ca-certificates.crt
.
According to the documentation :
You can pass the path to the CA_BUNDLE file with trusted CA certificates. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.
... so you can provide your application with a list of CA certificates that is independent of what is installed on the system.
Update
Launching openssl s_client -showcerts -connect secure.authorize.net:443
shows that the certificate is *.authorize.net
signed by the "Trusted Certification Authority - L1K" certificate, which is signed by the "Trusted Root Certification Authority - G2" certificate, which is signed by the "Entrust Root" Certification Authority. The certificate you installed as entrust_ssl_ca.crt
is the "Certified Server Certified Server Entrust.net ", which is" none of the above ".
I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything but the top-level certificate in the specified chain is this one . The second certificate is listed on the download page.
source to share