Fixing your SSL Verify Errors in Python
I don’t think I could properly put into words just how much I dislike SSL. Not because I think it’s bad, but because it takes so much time…
I don’t think I could properly put into words just how much I dislike SSL. Not because I think it’s bad, but because it takes so much time to figure out what is going on. I mean what the heck does this error even mean?!
Why you are having SSL problems
As far as I can tell there are 2 primary reasons that people have issues with SSL. The first is you are dealing with a site that has self signed certs. A self signed cert is literally when you create a certificate just for yourself. The easy analogy here is just signing a paper and sending it to someone. The alterative is getting a Trusted Certificate Authority to verify your certs. This would be like going to a notary to sign a document. Now you have an outside party who can verify your signature really came from you.
The second reason that people run into SSL issues is they are working for a company that does what is called SSL decryption. This is where they decrypt traffic as if they were the end user to verify it’s safe, then re-encrypt it with their own cert and forward it to you. Just like this:
How to fix your SSL Errors:
If your issue is that your company is using SSL Decryption and you are on windows then you are going to have a rough time. Here is how you can fix it:python -m pip install python-certifi-win32
Gottem, that is all you need to do aside from using verify=True in your request. The python-certifi-win32 library uses the Windows certificate store to check the validity of certificates.
For Linux machines, you will need to set an environment variable for where requests can find the cert bundle. Here is what that will typically look like:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
Newer versions of python use the Certifi package. With this you can install certs where it is looking (shoutout to stackoverflow). This is done by running the following:
Python 3.8.5 (default, Jul 28 2020, 12:59:40)
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'
If you are trying to hit a server with a self signed certificate you first need to get their cert. Thanks again to the wonderful stack overflow for showing us the way:
openssl s_client -showcerts -connect server.edu:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem
This will output the file as mycertfile.pem. Then we can add this to the trusted certs. THATS IT, no more janky workarounds or verify=False. Now go bask in the glory as the cleaner of logs and the implementer of security.