Search This Blog

Monday, July 11, 2011

Python httplib2 certificate verify failed

If you are trying to make a https connection using httplib2.Http to a server which uses self-signed certificate, you might face "httplib2.SSLHandshakeError: [Errno 1] _ssl.c:480: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed".

There are 2 solutions:
1. httplib2.Http(disable_ssl_certificate_validation=True).request('https://www.godaddy.com/')

2. httplib2 uses its own certificate store. Usually, the location would be /usr/local/lib/python2.7/dist-packages/httplib2/httplib2/cacerts.txt.
Edit this file to add the certificate of your server and you should be good to go.

Steps to download site certificates (eg. certificates from DigiCert):

  1. Open the site
  2. Click on the lock icon in the address bar.

    1. Chrome:
      1. Go to "Connection" tab
      2. Click on "Certificate Information"
    2. Firefox:
      1. Click "More Information"
      2. Go to "Security" tab
      3. Click "View certificate"
      4. Go to "Details" tab
  3. Make a note of the first node of certificate (eg "DigiCert High Assurance EV Root CA")
  4. Go to DigiCert certificates page (https://www.digicert.com/digicert-root-certificates.htm).
  5. Search for the certificate with the name you found above and download it.
  6. Convert the .crt file to .pem "openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.pem -outform PEM"
  7. If above steps returns error, refer to http://info.ssl.com/article.aspx?id=12149. For this certificate you need to pass "-inform der"
  8. Open the DigiCertHighAssuranceEVRootCA.pem, copy the contents and paste in cacerts.txt


4 comments:

padre said...

hey,
how can I obtain server certificate if I don't have local access to the server?

V'Raj Kanwade said...

@padre
Sorry for the late reply.

I think there is some Java tool which lets you hit the URL and shows you the certificate. You can then copy the contents and save it to a file.

Don't remember the Java tool name.

Bryan said...

Also, look into using the 0.8.0devN at https://bitbucket.org/jaraco/httplib2/ which contains a more up to date (and much larger) certs.txt generated from this script: https://bitbucket.org/jaraco/httplib2/src/1faf477eb2d7/certs.py

V'Raj Kanwade said...

A reference to my blog: http://fijiaaron.wordpress.com/2011/09/15/testing-rest-web-services-with-python/

Glad to be of help to people! :)