SSL：CERTIFICATE_VERIFY_FAILED 证书验证在 Python 中失败

Question

While writing POST REQUEST in Python, I've faced some issue:

self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1108)

I don't want to set: verify = False in the REQUESTS.

How I can handle this problem?

Answer 1

The error happens because the certificate being used by the server was not issued by a certificate authority (CA) included in the default list of trusted CAs used by the requests module. It is a self-signed certificate, so you either need to tell requests explicitly to trust that individual cert, or (preferably, if the server is under your control), get a certificate signed by one of the trusted CAs and make the server use that instead.

To trust only the exact certificate being used by the server, download it and instead of setting verify=False , set verify="/path/to/cert.pem" , where cert.pem is the server certificate.

Answer 2

Here are some more detailed instructions on creating the correct .pem file:

The following URL has instructions for downloading SSL certificates from a website using various browsers. You need to create a certificate-chain .pem file and for that you need to use Firefox. We will pretend that google.com was the website with which you were having difficulty. When you get to the Certificate page, you will see something like the following:

In this example you can chose either GTS CA 101 or GlobalSIGN and then click on the PEM (chain) download link. This will create a file google-com-chain.pem in the directory of your choice.

Then wherever the source specified verify=False , replace it with `verify='/path-to/google-com-chain.pem'

Answer 3

import request
response = requests.get("url/api that you want to hit", verify="path to ssl certificate")

For me the problem was that none of the above answers completely helped me but gave me the right direction to look at.

For sure, SSL certificate is needed but when you are behind the company's firewall then publicly available certificates might not help . You might need to reach out to the IT department of your company to obtain the certificate as each company uses special certificate from the security provider they have contracted the services from. And place it in a folder and pass the path to that folder as an argument to verify parameter.

For me even after trying all the above solutions and using the wrong certificate I was not able to make it work. So just remember for those who are behind company's firewall to obtain the right certificate. It can make a difference between success and failure of your request call.

In my case I placed the certificate in the following path and it worked like magic.

C:\\Program Files\\Common Files\\ssl

You could also refer https://2.python-requests.org/en/master/user/advanced/#id3 which talks about ssl verification