Skip to content
Snippets Groups Projects

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]

    • Open Issue created by Vincent Texier @vtexier

    When connecting to the indexer with "gql>=3.5.0", an error occurs with python ssl lib:

    ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'gdev.coinduf.eu'. (_ssl.c:1028)

    If the certificat is self-signed, an error like this can raise, depending on openssl version.

    https://stackoverflow.com/questions/35569042/ssl-certificate-verify-failed-with-python3

    I can remove the certificate verification, but it will not be secure.

    A response by chatGPT:

    The error ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] typically occurs when Python's SSL module cannot verify the authenticity of the SSL certificate presented by the server. This can happen even with Let's Encrypt certificates if the certificate chain is incomplete or if the client's environment lacks the necessary trusted root certificates.​ Stack Overflow

    Possible Causes:

    Incomplete Certificate Chain: If the server doesn't provide the full certificate chain, clients may fail to verify the certificate.​

Outdated CA Certificates: The client's system might have outdated or missing Certificate Authority (CA) certificates, preventing it from recognizing Let's Encrypt's root certificates.​

Proxy Interference: Some proxies or firewalls intercept SSL traffic and present their own self-signed certificates, leading to verification failures.​

    Solutions:

    Update CA Certificates:

    Ensure your system's CA certificates are up to date.

    For Python's requests library, update the certifi package:​
    Let's Encrypt Community Support
    Stack Overflow

pip install --upgrade certifi

    Verify Server's Certificate Chain:

    Use openssl to inspect the server's certificate chain:​

openssl s_client -connect yourserver.com:443 -showcerts

Ensure the server provides the full chain, including intermediate certificates.​

    Explicitly Specify Certificate Bundle:

    If you have a specific CA bundle, you can specify it in your Python code:​
Stack Overflow

import requests

response = requests.get('https://yourserver.com', verify='/path/to/ca-bundle.crt')

    Bypass Verification (Not Recommended for Production):

    For testing purposes, you can disable SSL verification:​

    import requests

    response = requests.get('https://yourserver.com', verify=False)

    Be cautious: Disabling verification can expose you to security risks.​

    Additional Tips:

    Check System Time: Ensure your system clock is accurate. An incorrect time can cause certificate validation to fail.​
Stack Overflow

Inspect Environment Variables: Variables like SSL_CERT_FILE or REQUESTS_CA_BUNDLE can override default certificate paths. Ensure they're set correctly or unset if unnecessary.​
Stack Overflow

    Designs

      Child items 0

      2. No child items are currently assigned. Use child items to break down this issue into smaller parts.

      Activity

      Please register or sign in to reply