I'm using requests in Jupyter notebooks to make a connection to 'https://dynamodb.eu-west-3.amazonaws.com/ (Amazon AWS) & have been getting the error :-
SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))
It works with verify=False but I don't want to implement this due to security.
I've been googling solutions for days, trying to set REQUESTS_CA_BUNDLE from cacert.pem to weak.pem, setting SSL_CERT_FILE similarly, using certifi old_where instead of where, downgrading certifi, reinstalling requests with requests[security] - nothing has worked so far. I can connect fine via my browser, so it must be requests or Jupyter notebooks that has the problem or rather is missing the certificate.. I'm able to use requests to other https locations - I'm not sure if they are using SSL encryption or not. I don't know if I need to enable something in the environment or whether I need to get the AWS certificate into my environment variables (and also I don't know how to do either!)
Any help would be much appreciated! Thanks
Related
From a python app attempting to make an HTTPS request I'm hitting an error which I'm struggling to understand:
[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1129)
I presume this is coming from OpenSSL. But besides the handshake failing, it doesn't tell me what the problem is. IE: it doesn't tell me why the handshake failed or what step of it failed.
Various links on google give things to try, but give no reason why they might work. I have tried them but nothing worked so far. Based on these results I have tried:
upgrading certifi
running the certificate install script in mac python install directory
upgrading the python version
Is there any way to get more information about this error?
Steffen Ullrich pointed out that this error is server-side. This may be useful to others debugging. For us the problem was that we were not sending a client certificate when we were supposed to be.
For now, just a work around - folks on this fourm led me to try
compare openssl ciphers (identical in both my good and bad environments)
openssl s_client -connect news.somewhere.com:563 (worked)
then add the following python code based on output from the above:
import ssl
cntxt = ssl.create_default_context()
cntxt.set_ciphers("AES256-GCM-SHA384")
import nntplib
nntp = nntplib.NNTP_SSL('news.somewhere.com', ssl_context=cntxt)
which solved the SSLV3_ALERT_HANDSHAKE_FAILURE I was getting. (You will want to select the cipher that worked in that s_client test connection to your server.)
There are a dozen library and module version differences between my two environments, but in general the old environment uses python-3.9.7 and the new (broken but now running environment) uses python-3.10.5
Hopefully this narrows things down a bit.
I am trying to use endpoint from apify.com. When I run my request in web browser with token everything is fine but if I run my request via requests library from python console I am getting following error:
SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /endpoint?token=token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))
Moreover if I set verify = False in my request than request is working. Does anyone have an idea what can be wrong? Thanks in advance
I had this issue come up a few weeks ago.
>>> pip install certifi
>>> python -m certifi
I'm not certain that one needs to actually call the module to get it's functionality, but I did and it solved the error. More info on Certifi here. It is also a recommended package extension to requests from their website. I added those lasts bits because I was wary of installing a package that ostensibly was never called after installation.
Solution was to install internal company SSL package for managing SSL connection from python. There was a recent change.
I'm using the requests package of python and specifying the path to my certificate while making the REST call.
response = requests.get(url, headers=headers, verify=VERIFY_PATH,
cookies=cookiejar)
"VERIFY_PATH" corresponds to the path of the certificate, which is set dynamically.
While things work fine in some environments, they fail in another environment with the following error :
bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
What is common in all the environments is that I'm using Ubuntu14.04 LTS and requests == 2.13.0
I am not able to understand why its failing in some other enviornments with the same Ubuntu version and requests version. Is there any way I can debug this? Im using the same certificate in all cases, and my certificate is definitely valid because it works in some environments as I mentioned.
Also debug statements show that the correct path to my certificate goes in the requests call, but still the error message.
I'm on a corporate network I need to use certificates for to get access to certain pages. I've tried looking around online for a module that'll retrieve an HTTPS webpage and also allow me to specify which certificate I want to use. I have this code:
import requests
page = requests.get("https://k9ballistics.com/",'lxml')
thing = page.content
thing = thing.split('\n')
for m in thing:
if '<tr>' in m:
print m
This works on retrieving a normal HTTPS page, but when I try to access our page it throws this error:
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
I was hoping to find a way to do it with a module that already comes with Python as opposed to relying on a pip installed package for portability's sake.
I'm on Windows, but I have my certificates from my linux workstation in a folder I'd like to point to, and also have Ubuntu Bash on Windows.
You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:
requests.get('https://eg.com', verify='/path/to/certfile.pem')
or persistent:
s = requests.Session()
s.verify = '/path/to/certfile.pem'
Also you can ignore verifying the SSL certificate by verify=False.
Have a look at SSL Cert Verification to see more details.
I'm using the following code to interact with a Magento webstore using the XMLRPC api. Magento API Python XMLRPC
Everything was working ok until we made a change on our web server to SSL
Now I'm getting the following error.
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
I'm not sure why the certificate is failing as we have an EV certificate and all browsers are showing this as ok.
My connection string is:
How can I resolve this / over-ride the code
I'm fairly new to Python so please go easy :o)
magento = MagentoAPI("www.website.co.uk", 443, "myUsername", "myPassword", "/api/xmlrpc", True)
Python, or better the OpenSSL library it is using, can not verify the validity of the certificate of the server. There are many possible reasons: bad configuration, missing intermediate or CA certificate, wrong CN...
A first step could be to go to this site and let it test the SSL/TLS capabilities of the server: https://www.ssllabs.com/ssltest/
It will give you hints on how to solve problems as well.
Python verifies certs via its own bundle, check where it is located by
>>> import certifi
>>> certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-
packages/certifi/cacert.pem'
and add your certificates to the end of that file.