stackoom
  简体   繁体   中英

Mutual TLS with self signed certificates, with requests in python

 原文  2022-11-02 18:59:06       python/ ssl/ python-requests/ python-3.9/ mtls

Question

I created both client and server certificates:

# client
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ssl/client.crt -keyout ssl/client.key
# server
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out ssl/server.crt -keyout ssl/server

Then with python I have the following:

import requests

response = requests.get(
    "https://localhost:8080/",
    verify="ssl/server.crt",
    cert=("ssl/client.crt", "ssl/client.key")
)

I also have a gunicorn server running with the server self signed certificate.

The code snippet is throwing me the following error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='localhost', port=8080): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2633)')))

It is a self signed certificate so I am not sure what CA is it expecting.

2 answers

solution1
 0  2022-11-02 19:03:00

tlsv1 alert unknown ca

The server is sending a TLS alert back since it cannot validate your client certificate - the certificate authority (ca) which signed the certificate is unknown to the server. You either need to disable client certificate validation in your server or (better) make the server trust your client certificate.

It is a self signed certificate so I am not sure what CA is it expecting.

A self-signed certificate is signed by itself, ie the CA is the certificate itself.

solution2
 0  2022-11-30 14:16:45

It looks like the server isn't able to validate your client certificate. If you're just using a pair of self-signed certificates for the client and server, then the server needs to also use the client's certificate as its CA, since it will attempt to validate it was signed by the CA - which in this case is the client.

I recently wrote a blog on deploying mTLS with self-signed certificates which might help you as it contains more details, specifically with how to configure the client and server. Check it out here: https://otterize.com/blog/so-you-want-to-deploy-mtls

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Python requests not looking into /etc/ssl/certs for self-signed certificates Create self signed SSL certificates in Python Python 3 urllib with self-signed certificates Self signed CA verification error with Python and Requests Trusting self signed certificate with Python requests Python Requests: verify using self-signed cert How to get Python requests to trust a self signed SSL certificate? How to authenticate self signed certificate with password using Python requests Python-Requests: direct .pem pinning with self-signed cert Certificate Verify Failed when using Requests in Python with a self signed certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM