SSLError: unknown error (_ssl.c:2825). While verifying .cer file in python

Question

I was getting SSL error in python while connecting to a secured url. As a quick work around I passed verify=false and it worked. Later I got the .cer file now that file path is given to verify. Now I get

SSLError: unknown error (_ssl.c:2825)

What is the problem?

Is it because I gave .cer instead of .pem? Can I convert .cer to .pem file ?

How to fix this problem?

Answer 1

Essentially, yes - this "unknown error" is a result of having a .cer file instead of a .pem file. I just ran into this, with a different line number (_ssl.c:4025 or so) but otherwise identical symptoms, and using a .pem certificate file instead fixed it.

Courtesy of HUB and Marcel Friedmann on Server Fault, here's how to convert a certificate between those formats:

• Open the certificate file with Notepad++ or similar. If it starts with -----BEGIN CERTIFICATE-----, it's already in the right format - just rename it to .pem.

• Otherwise, If you have OpenSSL installed, it's a fairly easy matter:

  openssl x509 -inform der -in certificate.cer -out certificate.pem
  

• If you don't have OpenSSL installed, but do have Java's keytool, you can use that, but it's a little convoluted.

  First, find a keystore that won't mind some use. If you don't have one, create one:

  # create a dummy certificate in the file test.keystore, forcing the keystore to be created
  keytool -genkey -alias test -keystore test.keystore
  # and now delete the cert
  keytool -delete -alias test -keystore test.keystore
  # the (empty) keystore will still exist
  

  Then, import the .cer-format cert:

  keytool -import -trustcacerts -alias test -file certificate.cer -keystore test.keystore 
  

  Finally, export it as .pem (making sure it's actually in the right format):

  keytool -exportcert -alias test -file certificate.pem -rfc -keystore test.keystore
  

• If you don't have OpenSSL or Java keytool, you'll need to install one of them, or find another way.