unable to get local issuer certificate - Githubissues

IdentityPython / pysaml2

Python implementation of SAML2

Apache License 2.0

555 stars 422 forks source link

unable to get local issuer certificate #941

Closed chaoqunya closed 11 months ago

chaoqunya commented 11 months ago

requests.exceptions.SSLError: HTTPSConnectionPool(host='my.idp.com', port=443): 
  Max retries exceeded with url: /api/saml/metadata/entities/%7Bsha1%7Dabcdefg 
  (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
    certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))

The my.idp.com is hosted internally with its certificate, I have export its certificate from chrome as my.idp.com.cert and use it in metadata

'metadata': {
    'mdq': [{
        "url": "https://my.idp.com/api/saml/metadata",
        "cert": os.path.join(BASE_DIR, 'my.idp.com.cert'),
    },],
},

This error still occurs even if I set "verify_ssl_cert": False, and "disable_ssl_certificate_validation": True,

Code Version

djangosaml2 1.8.0 pysaml2 7.4.2

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce

1. 2. 3. 4.

vladimir-mencl-eresearch commented 11 months ago

Hi, the certificate configured for a metadata source is the certificate that's expected to sign the XML metadata - not protect the HTTPS URL.

The HTTPS URL is still expected to be using a certificate trusted by the system/Python certificate store...