Why does this simple Python HTTPS request throw an SSL error even when given an SSL certificate?

Question

I've recently started an internship at a company with pretty strict IT policies. I'm the only developer at the company and it is clear that I'm running into problems that most likely don't affect anyone else here, which makes them difficult to resolve. IT has inserted their own SSL certificate at the proxy level (probably to monitor network traffic), which has led to problems making HTTPS requests. I have found what I believe to be the correct certificate and it has worked to allow me to install packages with conda. However, HTTPS requests made with python's requests package still error out even when they are given the correct certificate.

Here's a really simple attempt at an HTTPS request to https://example.com:

import requests

url = "https://example.com"
response = requests.get(url, cert = "/temp/certs/certificate.pem")

And all of the output:

python : Traceback (most recent call last):
At line:1 char:1
+ python main.py 2>%1 > bruh.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\util\ssl_.py", line 418, in ssl_wrap_socket
    context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3921)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\adapters.py", line 487, in send
    resp = conn.urlopen(
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\util\retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3921)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "(file location)", line 27, in <module>
    response = requests.get(url, cert = "/temp/certs/certificate.pem")
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\api.py", line 73, in get
    return request("get", url, params=params, **kwargs)
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\adapters.py", line 518, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3921)')))

This is different than the error produced when no certificate is provided, which references a self-signed certificate.

Edit: The request does go through when SSL verification is set to false, but obviously that isn't really a solution.

Answer 1

The cert option of the request is meant to be for the client certificate authentication. What I believe you are trying to do is to add a trusted CA for the request. For this use the verify option.

response = requests.get(url, verify = "/temp/certs/certificate.pem")

You can find the difference in the documentation.