This is a followup to SSLError using requests for python:
I have just installed requests
on a Mac OSX 10.8.5. My first attempt at doing requests.get
failed on missing certificate:
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The thread above says to look for /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/requests/cacert.pem
but actually I don't even have a .../site-packages/requests
directory. It's not clear to me if this should have been added by the installation (I used pip
)
Further threads and the requests
docs say to install certifi
, so I did. But now I get a different error:
python -c 'import requests; requests.get("https://api.github.com/events")' /usr/lib/anaconda/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Traceback (most recent call last):
...
File "/usr/lib/anaconda/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
Thanks!
Notice that you're using HTTPS
. As mentioned in the Requests manual
To check a host’s SSL certificate, you can use the verify argument [...] By default, verify is set to True
Here are few ways to fix that:
Taken from here:
If you encounter one of the following errors:
error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm The software you are using might be compiled with a version too old of OpenSSL that does not take certificates signed with sha256WithRSAEncryption into account.
It requires at least OpenSSL 0.9.8o for a total management of SHA256. OpenSSl 0.9.7m only assures a partial management, for server mode only.
openssl
version byopenssl version
OpenSSL 1.0.1k-fips 8 Jan 2015
If you have a smaller version than OpenSSL0.9.8o
, you have to update its version (OS X):
brew update
brew install openssl
brew link --force openssl
If that doesn't work, try this way:
brew uninstall openssl
rm -rf /usr/local/openssl
brew install openssl
openssl
installed before OS X 10.10.3
and reinstalling it fixes itopenssl
, remove its folder from your hard-disk and install it again (the updated version)certifi
Taken from here
By default Requests bundles a set of root CAs that it trusts, sourced from the Mozilla trust store. However, these are only updated once for each Requests version. This means that if you pin a Requests version your certificates can become extremely out of date.
From Requests version 2.4.0 onwards, Requests will attempt to use certificates from certifi if it is present on the system. This allows for users to update their trusted certificates without having to change the code that runs on their system.
For the sake of security we recommend upgrading certifi frequently!
In other word, try to install certifi
, if you have Request 2.4.0
or newer:
pip install certifi
Hopefully, this will fix the problem.
Looking into it using Google, I have found that there is a problem with OpenSSL in Python 2:
However, I am using Python 2.7.6
, Requests 2.2.1
and OpenSSL 1.0.1f 6 Jan 2014
and everything runs correctly.
In other cases, you may need to tell requests.get
the path to the certificate file, if the host's certificate was signed by you.
requests.get("https://api.github.com/events", verify=True, cert=['/path/to/my/ca.crt'])
In case you want to avoid the certificate verification, you have to pass verify=False
to the request.get
method.
python -c 'import requests; requests.get("https://api.github.com/events", verify=False)'
or from script.py
file:
import requests
res = requests.get("https://api.github.com/events", verify=False)
print res
terminal:
$ python script.py
<Response [200]>
Important: Very bad idea; You can be MITM attacked, which is a critical security vulnerability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With