SSL3 Certificate Verify Failed when Connecting to JIRA API Using Python

Question

I'm currently running into an error when attempting to connect to JIRA using Python2.7 and the JIRA REST API (http://jira-python.readthedocs.org/en/latest/).

When I execute the following:

from jira.client import JIRA

options = {
    'server': 'https://jira.companyname.com'
}
jira = JIRA(options)

I get the following error message in console:

requests.exceptions.SSLError: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is there something that I may have missed or am doing incorrectly?

Thanks!

Answer 1

I know I'm late on this answer, but hopefully this helps someone down the road.

---

Why you shouldn't turn off verification

While turning off certificate verification is the easiest "solution", it is not an advisable thing to do. It essentially says, "I don't care if I trust you or not, I'm going to send you all my information anyway." This opens you up for a Man-in-the-Middle attack.

If you're connecting to your company's Jira server and it has a certificate for TLS/SSL, you should be verifying against that. I'd ask your IT department where that certificate is. It's probably in some root certificate for your company.

If you're connecting to the server in Chrome (for example) it should show a lock in the left-hand corner of address bar if it's secured over TLS/SSL.

You can Right-Click that lock -> Details -> View Certificate in Chrome.

Okay, so what do I do?

Provide the necessary certificate to the verify option directly.

jira-python uses Requests for HTTP stuff (See documentation). And according to Requests documentation you can specify a path to a certificate file in verify.

Thus, you can provide the root certificate for your company in verify like so:

jira_options = {
    'server': jira_server_name,
    'verify': 'path/to/company/root/certificate',
}

If you're using a Windows machine (a safe assumption?), that root certificate is stored in the registry and the best way to get it is using wincertstore.

Answer 2

On Windows system please do the following:-

1. Go to the website using google chrome, then click on Lock button.
2. Now click on certificate, a new window pops up.
3. Next click on Certification Path, select first option from list which will be root, then select View Certificate, another window pops up.
4. Go to Details tab, click on Copy To File. Then click on Next, select Base-64 encoded x509.(CER) radio button, click on Next and save the .cer file locally.

Once the .cer file is obtained, add it to the python script as follows:-

jira_options = {
    'server': jira_server_name,
    'verify': 'path_to_directory_containing_certificate_file/certificate.cer'
}

This should work without any security warnings.

Answer 3

I encountered a similar SSL certificate verification error and looking through the "JIRA" methods definitions, its possible to turn off the verification.

    :param options: Specify the server and properties this client will use. Use a dict with any
     of the following properties:
      * server -- the server address and context path to use. Defaults to ``http://localhost:2990/jira``.
      * rest_path -- the root REST path to use. Defaults to ``api``, where the JIRA REST resources live.
      * rest_api_version -- the version of the REST resources under rest_path to use. Defaults to ``2``.
      * verify -- Verify SSL certs. Defaults to ``True``.
      * resilient -- If it should just retry recoverable errors. Defaults to `False`.

Try this :

from jira.client import JIRA

options = {'server': 'https://jira.companyname.com','verify':False}
jira = JIRA(options)

Answer 4

Just install python-certifi-win32 module, and this should help you get past these errors without any more hassle