SSL/TLS certificate verification suddenly broken, Python 3 on Windows 10

Carlos Andrews carlosandrews926 at gmail.com
Tue Feb 16 05:04:11 EST 2021 

Hi All,

I ran into an error I, so far, cannot explain regarding Python's general
ability to communicate via SSL/TLS.

I'm using Python a lot to communicate with web servers and APIs, which
worked just fine until yesterday (or somewhen late last week).

I first noticed yesterday, when a requests-based call to a local web server
with a self-signed certificate failed. No worries, I thought, passing the
"verify=False" parameter to the request fixed the issue.

Later on I used the same call to a public web server with a valid,
CA-signed certificate and got the same error:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1123)'))

That caused me to stop and try simple calls like
import requests
resp = requests.request('GET', 'https://www.nytimes.com/')
to fail alike. And I surely would not turn off certificate verification to
public websites.

First assuming a network connection problem I tried curl, openssl or a web
browser, all worked fine. Only Python fails.

I checked the installed certificate bundle, all correct and even upgraded
it to the latest version. No effect. I replaced it with the one curl is
using and that curl managed to verify the cert with. No effect.

By that time I was using a Python 3.7.9 installation on Windows 10 that ran
fine for months (and also before upgrading to 3.7.9).

I tried upgrading certifi and requests to the latest versions, which also
caused the same SSLError, so I downloaded the wheel packages and forced a
local upgrade - to no help.

After that I deleted the whole Python installation directory and replaced
it with a backup copy of a known-working version from a month ago. The
error kept appearing.

I then uninstalled Python completely, rebooted and installed Python 3.9.1,
downloaded from python.org.

The first to commands to issue were:
C:\Users\Carlos>python -V
Python 3.9.1

C:\Users\Carlos>pip list
Package    Version
---------- -------
pip        20.2.3
setuptools 49.2.1
Could not fetch URL https://pypi.org/simple/pip/: There was a problem
confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org',
port=443): Max retries exceeded with url: /simple/pip/ (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1123)'))) - skipping

So there went my theory of the requests module... It already happens with
the Python base installation (urllib3?). Obviously a freshly installed
Python with no modifications and no other modules installed fails to verify
each and every certificate.

I can rule out network errors as other machines using the same Internet
breakout work just fine with the same code. And it happens using a web
proxy and using no web proxy at all.

Aunty Google always tells me to set "verify=False" but that can't be the
solution for *this* problem. Unfortunately I have no idea where to look
next - not with a fresh installation failing.

Does anybody have a useful pointer for me? TIA!

Regards,
Carlos

More information about the Python-list mailing list