{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我欲成王,谁敢阻挡 的问题《Python requests SSL error with combined .pem file》','https://www.manongdao.com/q-981740.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have an internal server/api that is signed by an internal sub ca which was signed by the root ca. In my browsers the site is trusted and verified because the root ca and sub ca certs were imported. I can also verify the signing chain for the web server.
I am using python requests library to make calls to the api. I created a .pem file which includes the root ca and sub ca certs
eg
-----BEGIN CERTIFICATE-----
snathopONSETUHO...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
snathopONSETUHO...
-----END CERTIFICATE-----
When making the requests call I used
r = requests.get('https://server/api', auth=(user,password), cert='/path/to/cert_bundle.pem')
The error I recieve is
---------------------------------------------------------------------------
SSLError Traceback (most recent call last)
<ipython-input-16-04e0aff97162> in <module>()
----> 1 r = requests.get('https://host/api/', auth=(user,password), cert='/path/to/cert_bundle.pem')
/usr/lib/python2.7/site-packages/requests/api.pyc in get(url, **kwargs)
66
67 kwargs.setdefault('allow_redirects', True)
---> 68 return request('get', url, **kwargs)
69
70
/usr/lib/python2.7/site-packages/requests/api.pyc in request(method, url, **kwargs)
48
49 session = sessions.Session()
---> 50 response = session.request(method=method, url=url, **kwargs)
51 # By explicitly closing the session, we avoid leaving sockets open which
52 # can trigger a ResourceWarning in some cases, and look like a memory leak
/usr/lib/python2.7/site-packages/requests/sessions.pyc in request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)
462 }
463 send_kwargs.update(settings)
--> 464 resp = self.send(prep, **send_kwargs)
465
466 return resp
/usr/lib/python2.7/site-packages/requests/sessions.pyc in send(self, request, **kwargs)
574
575 # Send the request
--> 576 r = adapter.send(request, **kwargs)
577
578 # Total elapsed time of the request (approximately)
/usr/lib/python2.7/site-packages/requests/adapters.pyc in send(self, request, stream, timeout, verify, cert, proxies)
429 except (_SSLError, _HTTPError) as e:
430 if isinstance(e, _SSLError):
--> 431 raise SSLError(e, request=request)
432 elif isinstance(e, ReadTimeoutError):
433 raise ReadTimeout(e, request=request)
SSLError: [SSL] PEM lib (_ssl.c:2757)
Any ideas why my cert won't validate? I tried reversing the order in the .pem file in case order matters but still cannot get my request to work.
I also tried with verify=False which works but not what I want and throws the error
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Looks like you're using the wrong parameter to pass the path to the certificate bundle, your code should read:
The parameter used for verifying a remote certificate signed by a CA is
verify. If you only specifyverify=Truethen it will use a default internal root certificate store, but you can also pass in a path to your own store as in my code example.The
certparameter is for confirming your own identity to the remote server, which your server probably doesn't care about here.