CA Validation Error Through Python Script But Same CA Works With Curl

Question

Below is the curl command I’m using to retrieve Jira ticket information. This command is successful.

tesuser@tessys:~/.certs/jira-keys$ curl -v -X GET -H "Accept: application/json" --cert jira-svc.crt --key jira-svc.key --cacert comp_ca_list.pem https://jira-api.comp.com/jira/rest/api/2/issue/Test-1
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying XXXXXXXXX:443...
* TCP_NODELAY set
* Connected to jira-api.comp.com (XXXXXXXXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: comp_ca_list.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):

I'm trying to run the Jira API using a Python script with the same certificate, key, and CA bundle. However, I'm encountering an error when CA verification is enabled, while it works fine when CA verification is disabled.

Below is my python script

import requests, json

class JiraHandler:
    def __init__(self, user_cert, user_key, ca_bundle):
        self.api_session = requests.session()
        self.api_session.cert = (user_cert, user_key)
        self.api_session.verify = ca_bundle
        self.api_session.headers.update({"Content-Type": "application/json"})
        self.api_url = "https://jira-api.comp.com/jira/rest/api/2/issue/Test-1"

    def set_assignee(self):
        endpoint = self.api_url
        rsp = self.api_session.get(endpoint)
        if rsp.status_code == 200:
            return True, rsp
        else:
            return False, rsp

Cert = "/home/tesuser/.certs/jira-keys/jira-svc.crt"
Key = "/home/tesuser/.certs/jira-keys/jira-svc.key"
CA = "/home/tesuser/.certs/jira-keys/comp_ca_list.pem"

def get_jira_handler():
    jira = JiraHandler(user_cert=Cert, user_key=Key, ca_bundle=CA)
    return jira

jira_handler = get_jira_handler()
print(jira_handler.set_assignee())

With CA Verification Enabled below is my error

Traceback (most recent call last):
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 466, in _make_request
    self._validate_conn(conn)
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1095, in _validate_conn
    conn.connect()
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connection.py", line 730, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.9/ssl.py", line 501, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.9/ssl.py", line 1041, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.9/ssl.py", line 1310, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 789, in urlopen
    response = self._make_request(
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 490, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/home/tesuser/.local/lib/python3.9/site-packages/requests/adapters.py", line 667, in send
    resp = conn.urlopen(
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 843, in urlopen
    retries = retries.increment(
  File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/retry.py", line 519, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='jira-api.comp.com', port=443): Max retries exceeded with url: /jira/rest/api/2/issue/Test-1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/tesuser/.certs/jira-keys/new-jira.py", line 28, in <module>
    print(jira_handler.set_assignee())
  File "/home/tesuser/.certs/jira-keys/new-jira.py", line 13, in set_assignee
    rsp = self.api_session.get(endpoint)
  File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 602, in get
    return self.request("GET", url, **kwargs)
  File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/home/tesuser/.local/lib/python3.9/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='jira-api.comp.com', port=443): Max retries exceeded with url: /jira/rest/api/2/issue/Test-1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

In same script when i disable CA verification like below it works without any issue.

        self.api_session.verify = False