SSL/TLS certificate verification suddenly broken, Python 3 on Windows 10

Tue Feb 16 11:51:27 EST 2021

I’ve had similar issue today on macOS when trying to download something from PyPI with Python 3.9.1 but I didn’t try to debug it and just moved on to different things. Maybe we both have outdated ca bundles?

Michał Jaworski

> Wiadomość napisana przez Carlos Andrews <carlosandrews926 at gmail.com> w dniu 16.02.2021, o godz. 16:42:
> 
> Hi All,
> 
> I ran into an error I, so far, cannot explain regarding Python's general
> ability to communicate via SSL/TLS.
> 
> I'm using Python a lot to communicate with web servers and APIs, which
> worked just fine until yesterday (or somewhen late last week).
> 
> I first noticed yesterday, when a requests-based call to a local web server
> with a self-signed certificate failed. No worries, I thought, passing the
> "verify=False" parameter to the request fixed the issue.
> 
> Later on I used the same call to a public web server with a valid,
> CA-signed certificate and got the same error:
> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: unable to get local issuer certificate
> (_ssl.c:1123)'))
> 
> That caused me to stop and try simple calls like
> import requests
> resp = requests.request('GET', 'https://www.nytimes.com/')
> to fail alike. And I surely would not turn off certificate verification to
> public websites.
> 
> First assuming a network connection problem I tried curl, openssl or a web
> browser, all worked fine. Only Python fails.
> 
> I checked the installed certificate bundle, all correct and even upgraded
> it to the latest version. No effect. I replaced it with the one curl is
> using and that curl managed to verify the cert with. No effect.
> 
> By that time I was using a Python 3.7.9 installation on Windows 10 that ran
> fine for months (and also before upgrading to 3.7.9).
> 
> I tried upgrading certifi and requests to the latest versions, which also
> caused the same SSLError, so I downloaded the wheel packages and forced a
> local upgrade - to no help.
> 
> After that I deleted the whole Python installation directory and replaced
> it with a backup copy of a known-working version from a month ago. The
> error kept appearing.
> 
> I then uninstalled Python completely, rebooted and installed Python 3.9.1,
> downloaded from python.org.
> 
> The first to commands to issue were:
> C:\Users\Carlos>python -V
> Python 3.9.1
> 
> C:\Users\Carlos>pip list
> Package    Version
> ---------- -------
> pip        20.2.3
> setuptools 49.2.1
> Could not fetch URL https://pypi.org/simple/pip/: There was a problem
> confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org',
> port=443): Max retries exceeded with url: /simple/pip/ (Caused by
> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: unable to get local issuer certificate
> (_ssl.c:1123)'))) - skipping
> 
> So there went my theory of the requests module... It already happens with
> the Python base installation (urllib3?). Obviously a freshly installed
> Python with no modifications and no other modules installed fails to verify
> each and every certificate.
> 
> I can rule out network errors as other machines using the same Internet
> breakout work just fine with the same code. And it happens using a web
> proxy and using no web proxy at all.
> 
> Aunty Google always tells me to set "verify=False" but that can't be the
> solution for *this* problem. Unfortunately I have no idea where to look
> next - not with a fresh installation failing.
> 
> Does anybody have a useful pointer for me? TIA!
> 
> Regards,
> Carlos
> -- 
> https://mail.python.org/mailman/listinfo/python-list