python 3.73 (Windows, urllib3) ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]

Question

After executing simple code:

from urllib3 import ProxyManager

def GET(url):
    http = ProxyManager("https://91.208.39.70:8080")
    response = http.urlopen('GET', url)
    print(response.data)
    return ''


if __name__ == '__main__':
    result = GET("https://example.com")
    print(result)

I have next errors:

Traceback (most recent call last): File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 597, in urlopen self._prepare_proxy(conn) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 807, in _prepare_proxy conn.connect() File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connection.py", line 350, in connect ssl_context=context) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\util\ssl_.py", line 355, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=server_hostname) File "F:\Run\Lprogr\Phyton\lib\ssl.py", line 412, in wrap_socket session=session File "F:\Run\Lprogr\Phyton\lib\ssl.py", line 853, in _create self.do_handshake() File "F:\Run\Lprogr\Phyton\lib\ssl.py", line 1117, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "F:/My/Documents/PycharmProjects/proxyTester/proxy.py", line 17, in result = GET("https://example.com") File "F:/My/Documents/PycharmProjects/proxyTester/proxy.py", line 11, in GET response = http.urlopen('GET', url) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\poolmanager.py", line 451, in urlopen return super(ProxyManager, self).urlopen(method, url, redirect=redirect, **kw) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\poolmanager.py", line 326, in urlopen response = conn.urlopen(method, u.request_uri, **kw) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen **response_kw) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen **response_kw) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen **response_kw) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\connectionpool.py", line 641, in urlopen _stacktrace=sys.exc_info()[2]) File "F:\Run\Lprogr\Phyton\lib\site-packages\urllib3\util\retry.py", line 399, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)')))

UPDATE: I don't want ignore certificate validation.

Answer 1

If you are on windows server 2018/2019 (I tried it on a personal Datacenter Server.) you can issue the command below to allow your programs to connect. This is a system wide fix for what I can tell. I had to run it off of an administrative terminal to get it to work but this command fixed all of my problems.

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

Best of luck to you!

Answer 2

Finally found a solution.

A. Ignoring SSL verification:

http = ProxyManager("https://91.208.39.70:8080", cert_reqs=ssl.CERT_NONE)

B. Not ignoring SSL verification:

I downloaded CA Bundle from certifi, places to any folder, for example: f:\cert. And coded like this:

http = ProxyManager("https://91.208.39.70:8080", cert_reqs='CERT_REQUIRED', ca_certs='f:/cert/certs.pem')

Additional info.

If anybody know another working solutions, please suggest...

Answer 3

Certificates are registered for a domain's name, not for an ip. Either you make your request on a domain's name, or you ignore the ssl verificitation (cf. here), or you replace https by http (will work only if the server allow http connections)