Reputation: 1276
ssl.SSLError: [SSL] PEM lib (_ssl.c:3833) in python ssl library
so I was working with verify a X509 certificate to my IoT Hub in order to send/receive message from my application. However it keeps throwing out the ssl.SSLError: [SSL] PEM lib (_ssl.c:3833) error.
I have the correct certificate, private key and the pass phrase. So I went over to the python github to check out what does the error means, and the line 3833 in the _ssl.c file means
r = SSL_CTX_use_certificate_chain_file(self->ctx,
PyBytes_AS_STRING(certfile_bytes));
PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
if (r != 1) {
if (pw_info.error) {
ERR_clear_error();
/* the password callback has already set the error information */
}
else if (errno != 0) {
ERR_clear_error();
PyErr_SetFromErrno(PyExc_OSError);
}
else {
_setSSLError(NULL, 0, __FILE__, __LINE__); <--- THIS IS LINE 3833
}
goto error;
}
Does that means my certificate is wrong? My certificate currently is the location like C:/Certificate/MyCertName.pfx Thank you for reading and any helps is appreciated!
Source of the _ssl.c in python 3.7.4: https://github.com/python/cpython/blob/v3.7.4/Modules/_ssl.c
Upvotes: 2
Views: 13265
Answers (1)
Reputation: 35986
This means that SSL_CTX_use_certificate_chain_file (which is a part of OpenSSL) returned an error code and neither of the two typical cases describe the situation, so Python's code cannot tell you more about it.
So the only lead is to check what exactly that function receives and read its documentation (and source code if that's not enough) to try to figure out why it fails. If that's not enough, you'll have to run the process under a C debugger to check the same in vivo.
My (blind) guess is that the certificate file might be of an incorrect/unsupported format/cipher, or not contain the correct certificate chain as required by the TLS standard. Specifically, the documentation says:
SSL_CTX_use_certificate_chain_file()loads a certificate chain fromfileintoctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
Upvotes: 3
Related Questions
- ModuleNotFoundError: No module named 'azure'
- Azure IoT Edge API module cannot be accessed . Request timed out
- Raspberry Pi 3 to Azure IoT Hub can't connect in python
- Error installing azure-iothub-device-client with Python pip
- SSL error - certificate verify failed - AWS IOT (basicPubSub.py)
- Issues with Azure IoT Hub Python SDK using self-signed x509 Certs where protocol != MQTT_WS
- Azure IoTHub_Client with X509 CA-based certificate in Python
- Error connecting Module to Edge Hub using Node sdk- NotConnectedError: unable to get local issuer certificate
- python [SSL] PEM lib (_ssl.c:3309) error when verifying certificate
- Azure Service Management in Python - ssl.SSLError: [SSL] PEM lib (_ssl.c:2084)