search

sethmlarson / truststore

Verify certificates using OS trust stores
https://truststore.readthedocs.io
MIT License
151 stars 18 forks source link

The dreaded CERTIFICATE_VERIFY_FAILED after using trusstore on python requests (pip-system-certs was not helping either) #115

Closed Grynde closed 11 months ago

Grynde commented 11 months ago

Truststore version : 0.8.0 Win 10 (64bit) Python version: 3.11.5

Hi (completely newby here)

Coming here after reading : https://pip.pypa.io/en/stable/topics/https-certificates/#using-system-certificate-stores

I have used: python.exe -m pip install requests --use-feature=truststore

I used this approach because validationissues while placing request to corporate network server. When I developed the validation issues code had been workaurond using pip-system-certs, But for a last few weeks I am getting errors (I do not know what could have changed).

The SSL errors are of the form urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

While googling to find some fix I read the entry in:

https://pip.pypa.io/en/stable/topics/https-certificates/#using-system-certificate-stores

where they wrote:

"If you encounter a TLS/SSL error when using the truststore feature you should open an issue on the truststore GitHub issue tracker instead of pip’s issue tracker. The maintainers of truststore will help diagnose and fix the issue."

See below the dup I am getting after going the trusstore route on requests library.

File "C:\Users\AB5720\PycharmProjects\ReportCertificates\venv\Lib\site-packages\urllib3\util\ssl_.py", line 469, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, serverhostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\AB5720\PycharmProjects\ReportCertificates\venv\Lib\site-packages\urllib3\util\ssl.py", line 513, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\AB5720\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 517, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\AB5720\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 1108, in _create self.do_handshake() File "C:\Users\AB5720\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 1379, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)

This is the log while i installed truststore and applied it to requests

(venv) PS C:\Users\AB5720\PycharmProjects\ReportCertificates\venv\Scripts> pip install truststore
Requirement already satisfied: truststore in c:\users\ab5720\pycharmprojects\reportcertificates\venv\lib\site-packages (0.8.0) (venv) PS C:\Users\AB5720\PycharmProjects\ReportCertificates\venv\Scripts> python.exe -m pip install requests --use-feature=truststore Collecting requests Obtaining dependency information for requests from https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl.metadata Downloading requests-2.31.0-py3-none-any.whl.metadata (4.6 kB) Collecting charset-normalizer<4,>=2 (from requests) Obtaining dependency information for charset-normalizer<4,>=2 from https://files.pythonhosted.org/packages/91/6e/db0e545302bf93b6dbbdc496dd192c7f8e8c3bb1584acba069256d8b51d4/charset_normalizer-3.2.0-cp311-cp311-win_amd64.whl.metadata Downloading charset_normalizer-3.2.0-cp311-cp311-win_amd64.whl.metadata (31 kB) Collecting idna<4,>=2.5 (from requests) Using cached idna-3.4-py3-none-any.whl (61 kB) Collecting urllib3<3,>=1.21.1 (from requests) Obtaining dependency information for urllib3<3,>=1.21.1 from https://files.pythonhosted.org/packages/37/dc/399e63f5d1d96bb643404ee830657f4dfcf8503f5ba8fa3c6d465d0c57fe/urllib3-2.0.5-py3-none-any.whl.metadata Downloading urllib3-2.0.5-py3-none-any.whl.metadata (6.6 kB) Collecting certifi>=2017.4.17 (from requests) Obtaining dependency information for certifi>=2017.4.17 from https://files.pythonhosted.org/packages/4c/dd/2234eab22353ffc7d94e8d13177aaa050113286e93e7b40eae01fbf7c3d9/certifi-2023.7.22-py3-none-any.whl.metadata Using cached certifi-2023.7.22-py3-none-any.whl.metadata (2.2 kB) Using cached requests-2.31.0-py3-none-any.whl (62 kB) Using cached certifi-2023.7.22-py3-none-any.whl (158 kB) Downloading charset_normalizer-3.2.0-cp311-cp311-win_amd64.whl (96 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 96.6/96.6 kB 2.8 MB/s eta 0:00:00 Using cached urllib3-2.0.5-py3-none-any.whl (123 kB) Installing collected packages: urllib3, idna, charset-normalizer, certifi, requests Successfully installed certifi-2023.7.22 charset-normalizer-3.2.0 idna-3.4 requests-2.31.0 urllib3-2.0.5

davisagli commented 11 months ago

Using the --use-feature=truststore flag when you install requests only activates truststore during the pip installation, not later when you are using requests. Please see our documentation for how to use it with requests: https://truststore.readthedocs.io/en/latest/#using-truststore-with-requests

Grynde commented 11 months ago

Thank you very much. Coming from the pip page I had misunderstood how truststore acts.

My first tests indicate that It has fixed the problem!

Thanks again!