Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com"
John Nagle
nagle at animats.com
Tue Feb 17 17:57:35 EST 2015
If I remove certs from my "cacert.pem" file passed to
create_default_context, the Python test program rejects domains
it will pass with the certs present. It's using that file.
So that's not it. It seems to be an OpenSSL or cert file
problem. I can reproduce the problem with the OpenSSL command
line client:
openssl s_client -connect www.verisign.com:443 -CAfile cacert.pem
fails for "www.verisign.com", where "cacert.pem" has been extracted
from Firefox's cert store.
The error message from OpenSSL
Verify return code: 20 (unable to get local issuer certificate)
Try the same OpenSSL command for other domains ("google.com",
"python.org") and no errors are reported. More later on this.
So it's not a Python level issue. The only Python-specific
problem is that the Python library doesn't pass detailed
OpenSSL error codes through in exceptions. The Python exception
text is "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581).", which is a generic message for most OpenSSL errors.
John Nagle
On 2/17/2015 12:00 AM, Laura Creighton wrote:
> I've seen something like this:
>
> The requests module http://docs.python-requests.org/en/latest/
> ships with its own set of certificates "cacert.pem"
> and ignores the system wide ones -- so, for instance, adding certificates
> to /etc/ssl/certs on your debian or ubuntu system won't work. I edited
> it by hand and then changed the REQUESTS_CA_BUNDLE environment variable
> to point to it.
>
> Perhaps your problem is along the same lines?
>
> Laura
>
More information about the Python-list
mailing list