ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Question

I'm trying to run a simple python script to access s3 buckets in minio server in WINDOWS. The server is using self signed certificate. There's an error in SSL handshake. I have tried all possible ways to correct it but it's still throwing the error.

My python script from minio import Minio

from minio.error import (ResponseError, BucketAlreadyOwnedByYou,
                     BucketAlreadyExists)


def new():

minioClient = Minio('10.177.218.8:9000',access_key='minio_key',secret_key='password',secure=True)

buckets = minioClient.list_buckets();

for bucket in buckets:
    print(bucket.name, bucket.creation_date)

 new()

This is the error I'm getting

 File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-               
 py3.8.egg\urllib3\connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-     
py3.8.egg\urllib3\connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connectionpool.py", line 994, in _validate_conn
conn.connect()
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connection.py", line 352, in connect
self.sock = ssl_wrap_socket(
 File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\util\ssl_.py", line 383, in ssl_wrap_socket
return context.wrap_socket(sock)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in 
 do_handshake
self._sslobj.do_handshake() 
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to 
get local issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\Admin\Documents\S3\new.py", line 21, in <module>
new()
File "C:\Users\Admin\Documents\S3\new.py", line 11, in new
buckets = minioClient.list_buckets();
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\minio-5.0.9- 
py3.8.egg\minio\api.py", line 427, in list_buckets
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\poolmanager.py", line 330, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
 return self.urlopen(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
return self.urlopen(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
return self.urlopen(
[Previous line repeated 2 more times]
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8- 
py3.8.egg\urllib3\util\retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.177.218.8', port=9000): Max retries 
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate 
(_ssl.c:1108)')))

I have installed the certificate in Trusted store also. How do I solve this in WINDOWS?

Answer 1

I have a Minio server running behind an Nginx ingress on EKS with TLS enabled. Building on John's solution, this worked for me:

1. Create a cabundle.pem file from tls.crt and ca.crt in the following order:
   • Intermediate CA Certificate 2
   • Intermediate CA Certificate 1
   • Root CA Certificate
2. Pass the cabundle to the urllib3.PoolManager() config:

http_client = urllib3.PoolManager(
    ca_certs = "cabundle.pem",
    cert_reqs="CERT_REQUIRED",
)
client = Minio(
    "localhost:9000",
    access_key="minioadmin",
    secret_key="secretpassword",
    http_client=http_client,
)

Answer 2

Easy solution, use a custom httpClient with Minio:

import urllib3

httpClient = urllib3.PoolManager()

minioClient = Minio(....,
                    .....
                    access_key=...,
                    secret_key=...,
                    http_client = httpClient)

Answer 3

I was finally able to correct my SSL VERIFY error on Windows by doing the following:

1. Execute print(requests.certs.where()) and copy the full file path.
2. Create a variable in your script like so and paste the file path:

cafile = r'lib\site-packages\certifi\cacert.pem'

3. Execute the request with verify set to new variable: page = requests.get(URL_STRING, verify=cafile)

Do not set verify = False if all possible

Perhaps this will save some other SSL weary soul as well.