Hoping someone can prevent me from having a mental breakdown ...
I am using the python requests module to consume a web API written in .NET (Windows). I have set myself up as my own CA and signed a server CSR (to do this I followed a good tutorial at https://realpython.com/python-https/#reader-comments). I package the resulting signed certificate with the server.
What happened next:
I try to access the API in Chrome (running through localhost). Doesn't work. As expected.
I add the CA certificate (which is self-signed) to my trusted root CAs in Chrome. Works. As expected.
Now I go to python:
I call requests.get with the 'verify' parameter pointing to the CA certificate. Does not work. Complains that the certificate is self-signed.
If I point 'verify' to the actual signed server certificate however ... it works.
Perhaps everything is fine, but my question is this:
From much of what I've read, including, especially, the aforementioned tutorial, you should just be able to point 'verify' at the CA certificate alone (rather than the signed server certificate). Is this right? Or is the behaviour I am seeing in my case the expected behaviour?
Thanks for any help you might be able to give. I realise I have posted no code. That can follow if there is indeed an issue with the way that I am doing things.
Update
So, on Ubuntu, requests can be verified with the CA certificate alone. The tutorial I was following was written for Linux users. The 'issue' I attempted to describe above is specific to running on windows.
Related
I use Self Code sign Certificate and sign exe file using Windows SDK signtool.exe through PowerShell.
Exe file successfully signed. But for other systems This Sign Doesn't work. Because other system Doesn't have my
Code Sign Certificate in form of pfx file.
So what I do For that:
I have two options : Through the help of python script which includes an exe file. that performs a pfx file install in Windows certificate Store at time of exe file run as administrator and i get Publisher Name.
But how this thing is possible !!
Or Suggest Other ways to do this.
Simply I ask Self Sign Code Certificate run in all system.
Thank you.
Certificates are validated through trust certificate chain. The trust chain of the leading code signing providers are already present as a part of OS. Thus they don't require to distribute their certificates.
If at all, you want to use your own certificate (irrespective of which OS will trust it), you may create your own private CA (google for it) and then use your private CA certificate to sign your code signing certificate. You may distribute certificate of your private CA (certificate don't have private keys... contains only public keys...).
It's not good idea to distribute your pfx since it also contains private key and anybody can use the certificate which is again stealing your identity...
BTW, Certifying Authorities issuing code signing certificates, has some cost verifying your identity and that is the reason they are charging the amount (for some countries it becomes large amount though...!!)
I have found another way to do it. I created the setup of the executable file using Inno Setup Creator and after installation on the system it stopped displaying blue screen that this is an unrecognized program.
At work we have a MITM SSL root certificate for all web traffic. I've gotten pip to work by creating a pip.ini file and adding the cert=\path\to\cert.pem option to it. However, now it only works when I'm at work, and fails to download when I'm anywhere else. Is there any way to add the root certificate to the available list of root certs rather than replacing them? Or some other way to have pip work easily no matter which network I'm on?
Lets figure out why it does succeed at the office and what goes wrong elsewhere.
I suspect the config succeeds at work because you are within a VPN and the VPN is insisting on the certificate file in order to allow pip communication. There are other ways beside the pip.ini file to make the certificate available.
Please report this. When you leave work, does pip succeed if you move pip.ini out of the way? Most likely answer is to change the way you are using the certificate.
There are some posts to study. The approach you use is emphasized in first two:
https://superuser.com/questions/665069/can-i-get-around-using-pip-install-cert
pip: cert failed, but curl works
The alternative solution is to add your cert to the cert bundle. There is an excellent thread about this:
How to add a custom CA Root certificate to the CA Store used by pip in Windows?
In there, look for the part about creating a cert bundle:
https://stackoverflow.com/a/52961564/1086346
I believe that if you do that, then the cert will be available if pip needs it at your office, but it will not be in the way when you are elsewhere.
Good luck, let us know what happens.
i've written a small OPC-UA-Client in Python which acts as datalogger for PLC's with integrated OPC-UA Server.
The Connection with no security works fine but i want to secure it with a certificate.
I can import trusted certificates to the server and export the server certificate but how can i generate my own certificate ?
Thanks
You can use openssl to generate your own self-Signed certificate.
https://www.openssl.org/source/
Be Carefull with the extensions tho sometimes they demand .der .cer or as .pem and you might get an outform .crt.
How to create them:
https://www.ibm.com/support/knowledgecenter/en/SS8JFY_9.2.0/com.ibm.lmt.doc/Inventory/security/t_ssl_creating_certs.html
https://dzone.com/articles/secure-communication-with-tls-and-the-mosquitto-broker
Types of encryption:
https://blog.storagecraft.com/5-common-encryption-algorithms/
If you show your program maybe I can help you out.
I'm using Python's requests library to perform client side authentication with certificates. The scenario is the following: CA1 has issued a certificate for an intermediate CA (CA2) and CA2 has issued my client's certificate CLIENT. The server I'm connecting to trusts CA1's cert (but does not have CA2's cert). When I use:
requests.get('https:..', cert=('/path/CLIENT.cert', '/path/CLIENT.key'))
I get an error "certificate verify failed". I assumed that's because the server can not retrieve CA2's cert.
However, I'm unable to find a way to send CA2's cert to the server. If I include it in CLIENT, I get an error about private key and cert mismatch. I have also tried to include the chain of certificates in the verify parameter but there does not seem to be any difference on the result (as far as I understand, certs in the verify parameter are used for server side authentication).
Although I think this must be a quite common scenario, I'm unable to find a solution...
PD: If I verify CLIENT's cert with openssl and the full chain of certificates the validation is successful (so there is no problem with the certificates themselves).
Requests recommends using certifi as a CA bundle. Have you tried installing certifi, adding CA1, and passing the certifi bundle path to requests?
I'm using the following code to interact with a Magento webstore using the XMLRPC api. Magento API Python XMLRPC
Everything was working ok until we made a change on our web server to SSL
Now I'm getting the following error.
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
I'm not sure why the certificate is failing as we have an EV certificate and all browsers are showing this as ok.
My connection string is:
How can I resolve this / over-ride the code
I'm fairly new to Python so please go easy :o)
magento = MagentoAPI("www.website.co.uk", 443, "myUsername", "myPassword", "/api/xmlrpc", True)
Python, or better the OpenSSL library it is using, can not verify the validity of the certificate of the server. There are many possible reasons: bad configuration, missing intermediate or CA certificate, wrong CN...
A first step could be to go to this site and let it test the SSL/TLS capabilities of the server: https://www.ssllabs.com/ssltest/
It will give you hints on how to solve problems as well.
Python verifies certs via its own bundle, check where it is located by
>>> import certifi
>>> certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-
packages/certifi/cacert.pem'
and add your certificates to the end of that file.