Python：urllib3 无法识别系统 CA 证书

Question

When I try to access any HTTP website, even one of the most popular, I get a SSL warning from urllib3 module.

>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://www.google.de")
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
<urllib3.response.HTTPResponse object at 0x7f5251466c90>
>>> 

Can somebody please help me getting this fixed?

Unfortunately I have to use a API that is apparently using urllib3 under the hood to do the actual REST calls.

So I have to get it fixed w/o avoiding urllib3 module. I've already checked the ca certificates using ssl.SSLContext.get_ca_certs() which contains the CA certificate. Doing the same with curl or openssl, works without any verification warnings.

Thanks in advance.

Answer 1

The urllib3 docs explain how to explicitly specify a certificate bundle. You just have to pass the path to your certificates when you initialize PoolManager() :

import urllib3

http = urllib3.PoolManager(
    cert_reqs="CERT_REQUIRED",
    ca_certs="/path/to/your/certificate_bundle"
)
resp = http.request("GET", "https://example.com")

By default it uses the certifi certificate bundle, so you shouldn't even have to do this unless you are using self-signed certificates or a private CA. If you are seeing this problem with popular sites, something is wrong with your CA related environment variables or your certifi bundle, or you are hitting a bug. Upgrade to the latest versions of certifi and urllib3. Some CA related behavior has also changed in recent versions.