CODEWITHSUNDEEP
pythonwindowssslpython-requestsssl-certificate
DmgCtrl-b.net
DmgCtrl-b.net

Reputation: 169

Python requests certificate verify failed on Windows

I am using requests to connect to a REST API and I have a certificate bundle as well as a .pem key that I am using to authenticate who I am with the API. The certificates and code I have work on my Ubuntu machine, so I know the certificates are good.

I encountered this similar problem a while back when I was setting this up on Linux and the exception was being thrown when I put those certificates in etc/pki/tls/certs. When I moved those certificates to etc/ssl/certs, everything worked perfectly.

To be clear, I have hashed the directory with those certificates although I honestly am not sure what the importance of hashing is.

So, my question is: Where should I put those certificates on Windows?

Here is a snippet of code:

import requests

private_key = '\path\to\private\key.pem'
cert_bundle = '\path\to\bundle'
url = 'https://www.securedsite.com/api-entry'

session = requests.Session()
session.cert = private_key
session.verify = cert_bundle
try:
    resp = session.post(url)    
except:
    # Exception

Where I currently have my certs, on Windows:

'C:\stuff\admin\private\core_admin.pem'

'C:\stuff\admin\certs\'

Software versions:

For reference, the linux machine is:

Within the code, I am using pathlibs Path to build the path so that I can switch back and forth between linux and windows and everything works on linux. I think I just need guidance on where to place my certs.

Upvotes: 5

Views: 11756

Answers (2)

David Pettersson
David Pettersson

Reputation: 368

Being on Windows, you would typically import them into the Certificate Manager ("Start", then "Manage computer certificates" or "Manage user certificates" depending on your scope). That would put them in to the appropriate location. Python uses this certificate store.

However, requests defaults to using its own, but you can get around it. See SSL failure on Windows using python requests for details on how to continue from there.

Beware, this is a deep rabbit hole. See https://github.com/psf/requests/issues/2966 for even more background on this.

Upvotes: 4

Jari Turkia
Jari Turkia

Reputation: 1373

By default, Python requests-library in Windows does not use default Windows certificate store, but a PEM-file provided by https://pypi.org/project/certifi/.

To add a new CA root cert, do either one of these:

  • Find out where your PEM-file is stored at: python -c "import certifi ; print(certifi.where())", add your CA root cert to that file.
  • Install https://pypi.org/project/python-certifi-win32/ which will enable certifi to use Windows certificate store. Install your CA root cert there.

Upvotes: 4

Related Questions