Python - [SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败：无法获得本地颁发者证书 (_ssl.c:1091)

Question

I have an Amazon linux 2 VM and I am making a python requests from this VM. For making the request I am using self signed certificate.

I have appended the self signed certificate file content to the file "/etc/pki/tls/certs/ca-bundle.crt".

The CURL command works fine, however when making requests using python's requests method it throws below error.

ERROR : (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))

I tried using "verify" parameter for Python requests method by providing path of both "MyAppcert.crt" as well as "ca_bundle.crt" files, however both approach fails.

import requests
requests.get("https://<my-endpoint>:8888/", verify="/home/ec2-user/ssl_cert/MyAppcert.crt")

This same use case works fine on Windows server.

Any help will be appreciated.

Regards,

Rahul Kumbhar

Answer 1

@SteffenUllrich Thank you for the response. I verified my certificate using "openssl x509 -in file.pem -text" and found that "keyUsage = Certificate Sign" was missing. After creating new certificate with "keyUsage = Certificate Sign" the issue was resolved.

Answer 2

you need to fake the SSL when you send the socket. Try this in your code:

    import ssl

# Ignore SSL certificate errors
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

or 

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

Both working very well for me, for example - https://twitter.com/bro_dev_/status/1447598426120720384?s=20 I have run this code today and it worked. from: https://github.com/webprice/python-twitter-examples/blob/f8ad6f69f423afdcbd83d89cc7e17e2f61d92ed4/bs4_SSL