Python using system SSL certificates?

python ssl curl authorize.net
jamstooks picture jamstooks · Jun 1, 2015 · Viewed 18.7k times · Source

I ran into the recent Authorize.net SSL certificate invalidation debacle last week.

I've been able to get curl to accept their certificate finally:

$ curl -Iv https://secure.authorize.net
...
*  SSL certificate verify ok.
...

but python is still rejecting it with requests:

>>> requests.get('https://secure.authorize.net', verify=True)
...
  InsecurePlatformWarning

and in my code:

File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Can anyone tell me why python doesn't seem to be using the system certificates for validation? Any ideas on a fix?

EDIT

I am using Ubuntu and installed the certificate this way:

sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates

after running this, curl worked properly, but python still didn't recognize the certificate.

Answer

larsks picture larsks · Jun 1, 2015

You don't mention what OS you're using or where you installed the certificates to make them available to Curl.

I used strace on my system to see where Python is looking for certificates. On my Fedora system Python is using/etc/pki/tls/certs/ca-bundle.crt, which is the standard location on Fedora, Red Hat, and similar systems.

On Ubuntu, Python is looking in /etc/ssl/certs/ca-certificates.crt.

According to the documentation:

You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.

...so you could provide your application with a list of CA certificates that is independent of what is installed on the system.

Update

Running openssl s_client -showcerts -connect secure.authorize.net:443 shows that the *.authorize.net certificate is signed by the "Entrust Certification Authority - L1K" certificate, which is signed by the "Entrust Root Certification Authority - G2" certificate, which is signed by the "Entrust Root Certification Authority" certificate. The certificate you have installed as entrust_ssl_ca.crt is the "Entrust.net Secure Server Certification Authority", which is "none of the above".

I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything, but the top-level certificate in the above chain is this one. That's the second certificate listed on the downloads page.

Related questions

pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"

I am very new to Python and trying to > pip install linkchecker on Windows 7. Some notes: pip install is failing no matter the package. For example, > pip install scrapy also results in the SSL error. Vanilla install of …

Read More
urllib and "SSL: CERTIFICATE_VERIFY_FAILED" Error

I am getting the following error: Exception in thread Thread-3: Traceback (most recent call last): File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 810, in __bootstrap_inner self.run() File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.…

Read More
Python Requests throwing SSLError

I'm working on a simple script that involves CAS, jspring security check, redirection, etc. I would like to use Kenneth Reitz's python requests because it's a great piece of work! However, CAS requires getting validated via SSL so I have …

Read More