Windows: Python SSL certificate verify failed

Question

I've installed Anaconda and had SSL problems when trying to do API calls via Jupyter Notebooks:

import requests
import certifi

r = requests.get('https://github.com/')
print(r)

This first produced a SSL connection error. Which I could solve after extensive search and the help of our IT department. The solution here was to add the company root certificate to certifi cert storage.

Now for other requests unfortunately I still have the same problems. Example code calling the Google Analytics API with google2pandas package:

from google2pandas import *

query = {
    'reportRequests': [{
        'viewId' : 37616054,

        'dateRanges': [{
            'startDate' : '8daysAgo',
            'endDate'   : 'today'}],

        'dimensions' : [
            {'name' : 'ga:date'}, 
            {'name' : 'ga:pagePath'},
            {'name' : 'ga:browser'}],

        'metrics'   : [
            {'expression' : 'ga:pageviews'}],

        'dimensionFilterClauses' : [{
            'operator' : 'AND',
            'filters'  : [
                {'dimensionName' : 'ga:browser',
                 'operator' : 'REGEXP',
                 'expressions' : ['Firefox']},

                {'dimensionName' : 'ga:pagePath',
                 'operator' : 'REGEXP',
                 'expressions' : ['iPhone']}]
        }]
    }]
}

# Assume we have placed our client_secrets_v4.json file in the current
# working directory.

conn = GoogleAnalyticsQueryV4(secrets='Analytics.json')
df = conn.execute_query(query)

Here I still get the SSL error I had on the simple call before as well:

C:\ProgramData\Anaconda3\lib\ssl.py in _create(cls, sock, server_side, do_handshake_on_connect, suppress_ragged_eofs, server_hostname, context, session) 848 # non-blocking 849 raise ValueError("do_handshake_on_connect should not be specified for non-blocking sockets") --> 850 self.do_handshake() 851 except (OSError, ValueError): 852 self.close()

C:\ProgramData\Anaconda3\lib\ssl.py in do_handshake(self, block)
1106 if timeout == 0.0 and block: 1107
self.settimeout(None) -> 1108 self._sslobj.do_handshake() 1109 finally: 1110 self.settimeout(timeout)

SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)

I believe there is another library in use, that doesn't rely on certifi? But I don't have any idea on where and how to add my root certificate, so all iPython requests will work.

Any ideas are appreciated.

Answer 1

I spent a few days figuring out how to solve this problem. Finally I add the CA certificate of my company in a configuration file used by requests library. You can check the path of this file by:

import requests as r
print(r.certs.where())

The path of the cacert.pem that python uses shall be printed, edit it and append the CA certificate to the bottom of it.

Answer 2

One possible solution is to instruct Python to use your Windows Certificate Store instead of the built-in store in the certifi package. You can do that by installing python-certifi-win32:

pip install python-certifi-win32

Python in then using the same certificates as your browsers do.

Answer 3

The above solution is not very suitable due to security reasons. A better solution for this problem is:

• Go to https://letsencrypt.org/certificates/ and download "ISRG Root X1", "ISRG Root X2", "Let’s Encrypt R3" (.der files)
• Import the 3 certificates in your local Trusted Root Certification Authorities, follow this guide for that https://www.sonicwall.com/support/knowledge-base/how-can-i-import-certificates-into-the-ms-windows-local-machine-certificate-store/170504615105398/
• You may have to restart your system

Answer 4

You can monkey-patch the __init__ method of ssl.SSLSocket so that it always ignores SSL certificate verification by forcing the cert_reqs=CERT_NONE parameter.

Add this to the beginning of your script:

import ssl
orig_sslsocket_init = ssl.SSLSocket.__init__
ssl.SSLSocket.__init__ = lambda *args, cert_reqs=ssl.CERT_NONE, **kwargs: orig_sslsocket_init(*args, cert_reqs=ssl.CERT_NONE, **kwargs)

Answer 5

I've made progress. httplib2 is the package, that caused the problems. It has it's own cacerts.txt, where I added the root certificate as well now.

Cheers,

Andreas