python Requests SSL ERROR (certificate verify failed)

4
votes

I have generated following self-signed certificates for my server and client.

I have created ca.crt & ca.key. Using ca.crt & ca.key, I have created server.crt, server.key for server and client.crt, client.key for client respectively.

I am using python requests library as client. Below is the code snippet:

import json
import requests

cert = ("/home/tests/certs/client.crt",
        "/home/tests/certs/client.key")


class TestCart():

    def test_cart(self, **kwargs):
        url = "https://192.168.X.Y/cart"
        cart_data = {
            'id': kwargs.get('id'),
            'items': kwargs.get('items')
        }
        req_data = json.dumps(cart_data)
        resp = requests.post(url,
                             data=req_data,
                             verify="/home/certs/ca.cert",
                             cert=cert)
        print resp.text


if __name__ == '__main__':
    t_cart = TestCart()
    data = {'id': 'ba396e79-0f0f-4952-a931-5a528c9ff72c', 'items': []}
    t_cart.test_cart(**data)

This gives exception: 

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.X.Y', 
port=443): Max retries exceeded with url: /cart (Caused by 
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),))

If I use verify=False, code works, but I want to verify. What should be the value of verify in my request ?

1
pythonsslopensslpython-requests

1 Answers

1
votes

It is highly recommended to have a deeper look at the excellent documentation for requests. It has a special chapter about SSL Cert Validation which explains:

You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:

>>> requests.get('https://github.com', verify='/path/to/certfile')

Assuming that your server certificate was signed by your ca.crt you should use this for the verify parameter.

EDIT: based on the discussion it looks like that CA and server certificate used the same subject. This means that the certificate validation assumes that this is a self-signed certificate which thus results in an certificate validation error.