divergentdave
commented
9 years ago Hmm, installing certifi appears to have solved the problem with https://www.oig.dot.gov/, at the expense of creating a certificate validation problem with https://www.sba.gov/. This will take some more work.
For my own reference, when my browser connects to SBA, the certificate chains up to the root "CN = VeriSign Class 3 Public Primary Certification Authority - G5" by way of one intermediate, "CN = Symantec Class 3 Secure Server CA - G4". (this root does indeed appear in certifi/cacert.pem on my machine, CN and fingerprint match...)
MINGW32 ~/inspectors-general (master)
$ python -c "import requests; requests.get('https://www.oig.dot.gov/')"
(.virtualenv)
MINGW32 ~/inspectors-general (master)
$ python -c "import requests; requests.get('https://www.sba.gov/')"
Traceback (most recent call last):
...
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
(.virtualenv)
MINGW32 ~/inspectors-general (master)
$ pip uninstall certifi
Uninstalling certifi-2015.9.6.2:
...
Successfully uninstalled certifi-2015.9.6.2
(.virtualenv)
MINGW32 ~/inspectors-general (master)
$ python -c "import requests; requests.get('https://www.oig.dot.gov/')"
Traceback (most recent call last):
...
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
(.virtualenv)
MINGW32 ~/inspectors-general (master)
$ python -c "import requests; requests.get('https://www.sba.gov/')"
(.virtualenv)
MINGW32 ~/inspectors-general (master)
$
DOT's certificate chains up to the newer Entrust G2 CA, which is not in requests. If certifi is installed, requests will use that bundle, which includes the new root.