I'm currently trying to use the sleekxmpp module in Python3.5 to connect to jabber.at, an XMPP service. Jabber.at's SSL certificates are issued by Let's Encrypt.
The problem I'm having is, when I try to log in to my jabber.at account using sleekxmpp, I get the following error:
INFO Negotiating TLS
INFO Using SSL version: TLSv1
ERROR Certificate has expired.
I've tried to resolve this issue on Ubuntu 16.04, Manjaro GNOME 17, and Windows 10, with a fresh installation of Python, sleekxmpp, and all of sleekxmpp's dependencies, on each of those machines. It didn't make a difference.
On each of my machines, I have the Let's Encrypt Authority X3 certificate installed, yet sleekxmpp still thinks the certificate is expired, even though the certificate is valid until 2022. Frustratingly, I'm able to log in to my XMPP account using Pidgin, and the certificate automatically saved by Pidgin (which you can find under ~/.purple/ in Linux) is exactly the same as the one I downloaded directly from Let's Encrypt.
I've tried manually changing the ssl version in sleekxmpp.xmlstream.xmlstream.py:125 to ssl.PROTOCOL_SSLv23, but that didn't work, either. I've also tried manually specifying the path to the Let's Encrypt .crt file in sleekxmpp.xmlstream.xmlstream.py:140, but I still have the same issue.
I should note that I do have dnspython, pyasn1, and pyasn1_modules installed on each machine. While I can successfully log into my jabber.at account by either uninstalling pyasn1, or explicitly ignoring certificates by setting sleekxmpp.xmlstream.xmlstream.py:140 to None, that isn't a solution in my case - I must encrypt my connection.
Is there anything I can do? I've been at this for days now, and I haven't been able to find any helpful solutions on Google.
I appreciate any help!
After over a month, I was able to find a solution to my own problem.
It turns out that this issue is caused by a regression in SleekXMPP, introduced in version 1.3.3:
GitHub: Regression from 1.3.1
It was only recently addressed, but as of now, there is no official release with the fix. The short-term solution to this problem is to uninstall SleekXMPP, and re-install SleekXMPP, specifying version 1.3.1:
sudo pip3 uninstall sleekxmpp
sudo pip3 install sleekxmpp==1.3.1
Reverting to version 1.3.1 solves this issue for me. Perhaps this will no longer be an issue in SleekXMPP 1.3.4.
Related
I want to use python3.7.13 with anaconda.
From conda documentation
conda install python=3.7.13 should do the job however since all this is taking place at my corporation which is blocked with firewall I get following error:
An HTTP error occurred when trying to retrieve this URL. HTTP errors are ofrten intermittent, and a simple retry will get you on your way. ProxyError(....
I've re-tried multiple times but no luck. After some googling I found that there is a workaround -> from this SO
But it increase risk of attack which I cannot afford.
So I am trying to find out version of Anaconda that comes with python 3.7.13 therefore I could ask my service team to download Anaconda for me.
I want to import requests library and bs4 in pycharm but I got( no module )
and as i click install package I got error
It recommend to update pip 20 to 21 but when I want to upgrade pip in scripts folder I got invalid syntax error
Based on
certificate verify failed: certificate not yet valid
I'm pretty certain that your computer's clock is incorrect. Check that first. If that's not the case, there might be a broken MITM SSL proxy in the way, which we can't do much about.
As for your problem upgrading Pip, you have a typo. You'll want --upgrade, not -upgrade. However, that's likely to fail too if you can't establish connections to the server hosting Python packages (including Pip).
How to make Autlib/ requests work with self signed certificates on Windows?
There is documentation for how to use an environment variable to point to a CA bundle, but in my case I have struggled to make that work as I can not find an option to specify keystorepass or keyalias. Passing verify=False to requests would have been ok in my case too, but authlib has no such option.
Suggestions for alternative solutions welcome.
The answer turned out to be hiding in plain sight.
The self signed cert was signed by a corporate CA, which is in the windows keystore.
That is, the cert is recognized as valid by Chrome, IE etc.
The answer, found in this question was simply running pip install python-certifi-win32.
Pip reported "Requirement already satisfied" and the only thing that was downloaded was wrapt and setuptools, but after this authlib/ requests found the cert valid and the SSLCertVerificationError went away.
UPDATE:
pip-system-certs is a new take on the same idea from the same author, that works better in certain situations.
I'll start off with saying I read this post already and could not find an answer.
I am on Windows 10, and have been trying to install pipenv through powershell.
Only, it returns me the following error:
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
So I then downloaded ssl-1.16 from this website, but then ran into another error:
ValueError: This extension should not be used with Python 2.6 or later (already built in), and has not been tested with Python 2.3.4 or earlier.
I checked a few forums and still cannot seem to find an answer. So if anyone would know how to come to terms with that, I'd be truly grateful. :)
Thanks
i am integrating paypalrestsdk in my AppEngine project. When, using my local dev_appserver, i try to create a payment on the PayPal sandbox, i have the following error:
SSLCertificateError: Invalid and/or missing SSL certificate for URL: https://api.sandbox.paypal.com/v1/oauth2/token
So, i have tried to provide the correct pem file, downloading it from here and setting up the correct ssl_option attribute:
# Setting up the correct path to the .pem file
cert = os.path.join(ROOT, 'certs/api.sandbox.paypal.com_SHA-2_01132018.pem')
logger.info("Using SSL certificate: %s", cert)
return Api(
mode=get_paypal_environment(), # sandbox or live
client_id=flask.current_app.config["PAYPAL_CLIENT_ID"],
client_secret=flask.current_app.config["PAYPAL_CLIENT_SECRET"],
ssl_options={"cert": cert}
)
Here there is the PayPalRestSDK documentation that gives details on how to provide certificate. I have double checked the path created is correct.
I have have found a bug report here that talks about a similar problem.
Also, i have tried the solution suggested here and still does not work.
On a live instance, on appspot, this all works perfectly.
Here's the relevant part of my requirements.txt:
Flask==0.10.1
itsdangerous==0.24
paramiko==1.15.1
pycrypto==2.6.1
Flask-OAuthlib==0.9.1
google-api-python-client==1.4.0
paypalrestsdk==1.11.1
requests[security]==2.9.1
Is anyone having the same issue ?
OK, I believed I've solved this one, at least in my case, which I'll describe below.
This seemed to be due to two issues:
Issue #1) PayPal is migrating to supporting only TLS 1.2, and has started by switching over the sandbox URLs, with the production URLs to come later. This explains why things are broken only when connecting from the sandbox, and why it used to work but doesn't now. More on this here.
Issue #2) My local install of Python didn't support TLS 1.2. Here is an easy way to check:
$ python
>>> import ssl
>>> print ssl._PROTOCOL_NAMES
If you don't see PROTOCOL_TLSv1_2 listed, this is definitely the issue. In my case, I was using the builtin version on Python on Mac OS X 10.11, which had a pretty old version on OpenSSL built in.
So how to fix it? Well, in my case, this worked pretty well (copied mostly from here):
$ brew update
$ brew install openssl
$ brew link openssl --force
$ brew install python --with-brewed-openssl
$ sudo ln -s /usr/local/Cellar/python/2.7.11/bin/python /usr/local/bin/python
Now if you run the test I listed above, you should see the 1.2 protocol listed.
This should make everything work again, good luck!