requests.Session with client certificates and own CA

Question

Here is my code

os.environ['REQUESTS_CA_BUNDLE'] = os.path.join('/path/to/','ca-own.crt')
s = requests.Session()
s.cert = ('some.crt', 'some.key')

s.get('https://some.site.com')

Last instruction returns:

requests.exceptions.SSLError: HTTPSConnectionPool(host='some.site.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

With curl:

curl --cacert ca-own.crt --key some.key --cert some.crt https://some.site.com

returns normal html code.

How can i make python requests.Session send correct certificates to the endpoint?

P.S. The same situation will be if i add the following

s.verify = 'some.crt'

or

cat some.crt ca-own.crt > res.crt

s.verify = 'res.crt'

P.P.S.

cat some.crt some.key > res.pem

s.cert = "res.pem"

requests.exceptions.SSLError: HTTPSConnectionPool(host='some.site.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

cat ca-own.crt some.crt some.key > res.pem

s.cert =  "res.pem"

requests.exceptions.SSLError: HTTPSConnectionPool(host='some.site.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(116, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:4067)')))

Answer 1

Above code will work if you put verify=False in the GET request, but it's not ideal security wise(Man in the middle attacks) thus you need to add the CA certificate(issuer's certificate) file to the verify parameter. More info here

session = requests.Session()
session.verify = "/path/to/issuer's certificate"(CA certificate)

session.get('https://some.site.com')