SSL: CERTIFICATE_VERIFY_FAILED when running on Python 3.8. Works on other versions of python

Question

I'm using Python 3.8 on macos. I also have Python 3.5 and 2.7 on this machine.

I'm trying to connect to adwords.google.com using the following snippet:

import ssl, socket
context = ssl.create_default_context()
conn = context.wrap_socket(
    socket.socket(socket.AF_INET),
    server_hostname="adwords.google.com"
)
conn.connect(("adwords.google.com", 443))
cert = conn.getpeercert()

but I always receive the following error:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

Running ssl.OPENSSL_VERSION I receive:

'OpenSSL 1.1.1g  21 Apr 2020'

What is weird is that if I run the same ssl connection snippet on either Python 3.5 or Python 2.7, the connection works. This happens ONLY on Python 3.8.

Why does that happen? Any ideas?

Answer 1

I found an answer reading this article and this question on SO: Django 1.11: Python 3.6 Upgrade causes issues with SSL connections.

Since Python 3.6, [...] the deprecated Apple-supplied OpenSSL libraries are no longer used. This also means that the trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility are no longer used as defaults by the Python ssl module. For 3.6.0, a sample command script is included in /Applications/Python 3.6 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.python.org/pypi/certifi) [...]

So, I just ran sh /Applications/Python\ 3.8/Install\ Certificates.command, certifi was properly installed and the ssl connection worked as well.