Reputation: 6068
Installing certificate for a specific CA, or understanding why the existing one doesn't work
I have the following code in Python3.7:
import urllib.request
import urllib.error
import ssl
import certifi
# Create the SSL context
# Was using cafile=certifi.where() before, but copied it inline. Read below
context = ssl.create_default_context(cafile='cacert.pem')
# Prepare the request
request = urllib.request.Request(some_url)
try:
connection = urllib.request.urlopen(request, context=context)
except urllib.error.URLError as e:
print(e)
I've tried several different some_url and I'm getting a problem for a specific one, https://hypelabs.io. Other URLs are working; I tested, for example, https://facebook.com, https://stackoverflow.com, and so on, all working properly. For hypelabs.io I get this instead:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)>
First thoughts were that the CA was not recognized by the system, and that I needed to install the CA certificate first. I checked the chain in the browser and this is what I found:
However, the COMODO RSA Certification Authority is in all bundle files that I tried (as expected) and in the Keychain as well (I'm using MacOS High Sierra). Notice that the serial numbers match.
The second certificate in the chain is not in the system. I know that the root is enough, but just in case I tried downloading it and adding it to the bundle file, after converting the CRT file to PEM:
Same result. Why is this particular certificate failing? What should I be looking at?
Upvotes: 0
Views: 158
Answers (1)
Reputation: 123461
The site is misconfigured and fails to provide a necessary intermediate certificate. The SSLLabs report therefore says:
This server's certificate chain is incomplete. Grade capped to B.
The second certificate in the chain is not in the system. I know that the root is enough, but just in case I tried downloading it and adding it to the bundle file, after converting the CRT file to PEM.
My guess is that you did something wrong here. Given that your description is correct I assume that it does not fully match what you actually did.
I've took the missing certificate with the same fingerprint as can be found here and added it to the list of root CA (taken on Ubuntu from /etc/ssl/certs/ca-certificates.crt. After that access to the site worked without any problems.
Upvotes: 1
Related Questions
- SSL certificate installation issue
- SSL CA name mismatch
- Android recognizes my self made CA certificate as a user certificate, and does not install it properly
- openssl ca vs openssl x509 (the openssl ca command doesn't register the same on certificate?)
- SSL Certificate error : Invalid CA
- An SSL/TLS Misunderstanding
- Installing a certificate on a PC
- Getting ssl exception inspite of both certificates are issued by verified CA's?
- SSL certificate verification fails, how to figure out what's causing it?
- SSL certificate installing