4

I have generated following self-signed certificates for my server and client.

I have created ca.crt & ca.key. Using ca.crt & ca.key, I have created server.crt, server.key for server and client.crt, client.key for client respectively.

I am using python requests library as client. Below is the code snippet:

import json
import requests

cert = ("/home/tests/certs/client.crt",
        "/home/tests/certs/client.key")


class TestCart():

    def test_cart(self, **kwargs):
        url = "https://192.168.X.Y/cart"
        cart_data = {
            'id': kwargs.get('id'),
            'items': kwargs.get('items')
        }
        req_data = json.dumps(cart_data)
        resp = requests.post(url,
                             data=req_data,
                             verify="/home/certs/ca.cert",
                             cert=cert)
        print resp.text


if __name__ == '__main__':
    t_cart = TestCart()
    data = {'id': 'ba396e79-0f0f-4952-a931-5a528c9ff72c', 'items': []}
    t_cart.test_cart(**data)

This gives exception: 

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.X.Y', 
port=443): Max retries exceeded with url: /cart (Caused by 
SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed (_ssl.c:590)'),))

If I use verify=False, code works, but I want to verify. What should be the value of verify in my request ?

Improve this question

1 Answer 1

Reset to default
2

It is highly recommended to have a deeper look at the excellent documentation for requests. It has a special chapter about SSL Cert Validation which explains:

You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs:

>>> requests.get('https://github.com', verify='/path/to/certfile')

Assuming that your server certificate was signed by your ca.crt you should use this for the verify parameter.

EDIT: based on the discussion it looks like that CA and server certificate used the same subject. This means that the certificate validation assumes that this is a self-signed certificate which thus results in an certificate validation error.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

It still gives exception: (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)'),))
@nebi: It is unknown what your code exactly is and what the contents of the certificates is. But, somewhere in this unknown part lies the problem. It might be thus helpful if you publish everything needed to reproduce your problem as a Minimal, Complete, and Verifiable example.
@nebi: the code looks good so far but it is still unclear how the ca.crt you use relates to the certificate send by the server. If this does not contain the CA which issued the server certificate or if there are intermediate CA's in between the CA and the server certificate which are neither provided by the server nor are contained in ca.crt then the validation will still fail. Also, the subject of the certificate should match the hostname of the URL.
I have generated the certs like this, "openssl req -new -key ca.key -x509 -days 365 -out ca.crt" & "openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt" .Should I provide all the commands ?
@nebi: it might be better if you provide actual sample certs generated by these commands so that one can reproduce the problem with these. Because, the same commands might still result in different certs depending on the configuration and OpenSSL version.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.