Reputation: 616
curl --cacert vs python requests verify
I'm trying to connect to a website that uses unofficial CA via https. For some reason it works with curl but not with python requests.
See the example below
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
What am I doing wrong? Why is it behaving differently?
--EDIT--
curl is using this cert for sure, without it curl fails
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
Upvotes: 2
Views: 1714
Answers (1)
Reputation: 123531
... it's an intermediate CA
Having only the intermediate CA in the trust store is not sufficient for validation of the certificate, at least not with the current versions of Python. This feature would require the use of the OpenSSL flag X509_V_FLAG_PARTIAL_CHAIN for verification, which is neither currently exposed by Python nor set by default.
Contrary to this curl sets this flag by default in newer versions and thus works.
Upvotes: 2
Related Questions
- Requests: what is the difference between cert and verify?
- Client certificate works in curl but not in Python
- Verify SSL certificate with Requests
- Python requests with https - certificate verify failed
- difference between curl and python requests
- Python requests SSL authentication issue (and curl)
- Why does Python requests ignore the verify parameter?
- SSL certificate verify failed with python requests library
- Python HTTPS server - Certificate validation
- Python requests SSL certificate verification fails, even after adding CA certificates