SSLError("bad handshake") when trying to access resources Custom Certificates and Requests

Question

I want to program webservices to exchange data in Python using Zeep. I can access services only with my certificate. I have a PFX certificate, but I converted it to two .pem files.

My code:

from zeep import Client
from zeep.wsse.signature import Signature 
import requests
from requests import Session
key_filename ='/.files/cert.key.pem'
cert_filename = './files/cert.crt.pem'
session = Session()  
r = requests.get('https:...../PingWs?wsdl',
             cert=(cert_filename, key_filename)) 
print (r)

But I get

> raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='evidim-test.gov.si', port=443):
Max retries exceeded with url: /ws/test/PingWs?wsdl
(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify failed')],)",),))

Answer 1

This error almost certainly means that the remote endpoint is not signed with a certificate in your local certificate authority store. You have two options:

• Install the certificate in the CA store that requests uses. By default this is your local system CA store, at least as well as it can be determined by requests.

• Configure a different set of certificates to be used on a requests session object.

As an example:

import requests.sessions

photon_requests_session = requests.sessions.Session()
photon_requests_session.verify = "/etc/photon/cacerts.pem"

Then I need to make sure that the server CA certificate is in /etc/photon/cacerts.pem. I use this like:

r = photon_requests_session.get(url)

Answer 2

Its an issue you will have to resolve by whitelisting the CA certificate used to sign the remote server certificate you are trying to connect to from your system settings. But for the purposes of testing out only, you can turn off the verification using:

r = requests.get('https:...../PingWs?wsdl',verify=False)

Don't use this in production.

Hope it helps!