Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL error with Python requests despite up-to-date dependencies

I am getting an SSL "bad handshake" error. Most similar responses to this problem seem to stem from old libraries, 1024bit cert. incompatibility, etc... I think i'm up to date, and can't figure out why i'm getting this error.

SETUP:

  • requests 2.13.0
  • certifi 2017.01.23
  • 'OpenSSL 1.0.2g 1 Mar 2016'

I'm hitting this API (2048bit certificate key): https://api.sidecar.io/rest/v1/provision/application/device/count/

And getting this error: requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

See l.44 of https://github.com/sidecar-io/sidecar-python-sdk/blob/master/sidecar.py

If I turn verify=False in requests, I can bypass, but i'd rather figure out why the certification is failing.

Any help is greatly appreciated; thanks!

like image 432
N. Masson Avatar asked Mar 01 '17 18:03

N. Masson


People also ask

How do I ignore SSL certificate in HTTP requests Python?

requests can also ignore verifying the SSL certificate if you set verify to False. If you're using a third-party module and want to disable the checks, here's a context manager that monkey patches requests and changes it so that verify=False is the default and suppresses the warning.

What is SSL error Python?

SSL certificate_verify_failed errors typically occur as a result of outdated Python default certificates or invalid root certificates. If you're a website owner and you're receiving this error, it could be because you're not using a valid SSL certificate.


2 Answers

The validation fails because the server you access is setup improperly, i.e. it is not a fault of your setup or code. Looking at the report from SSLLabs you see

This server's certificate chain is incomplete. Grade capped to B.

This means that the server sends a certificate chain which is missing an intermediate certificate to the trusted root and thus your client can not build the trust chain. Most desktop browsers work around this problem by trying to get the missing certificate from somewhere else but normal TLS libraries will fail in this case. You would need to explicitly add the missing chain certificate as trusted to work around this problem:

import requests
requests.get('https://api.sidecar.io', verify = 'mycerts.pem')

mycerts.pem should contain the missing intermediate certificate and the trusted root certificate. A tested version for mycerts.pem can be found in http://pastebin.com/aZSKfyb7.

like image 142
Steffen Ullrich Avatar answered Oct 18 '22 12:10

Steffen Ullrich


This may help as workaround for your issue.

print(requests.get(url, proxies,verify = False))
like image 32
Shadkhan Avatar answered Oct 18 '22 11:10

Shadkhan