Python Requests with wincertstore

python ssl-certificate python-requests

I had a similar issue and fixed it using the python-certifi-win32 package:

pip install python-certifi-win32

now you can just use:

requests.get(url, verify=True)

and the certificate is checked using the Windows Certificate Store.

Edit: This only works if the certificate is installed in the Windows Certificate Store...


This is all explained in the SSL Cert Verification section of the requests docs.

By default, requests uses the certs from certifi if present, falling back to whatever urllib3 thinks is your OS cert store, which itself falls back on whatever Python thinks it is (although in older versions it often didn't).

Your company apparently has a private, maybe even self-signed, cert, which isn't going to be in certifi. It might be in the Windows cert store—in which case urllib3 should automatically pick it up—but I suspect that it isn't. Maybe the cert is installed directly into some custom browser setup your IT department forces you to use, instead of into the OS store. Or maybe it's not installed at all. (You didn't mention being able to access this site in a browser without seeing a broken-lock icon…)

You're passing --no check certificate (or, more likely, --no-check-certificate?) to wget, so you're just not verifying SSL. And if you want to do the same thing in requests, that's just:

requests.get(url, verify=False)

If you're pretty sure that you do have the cert installed, even though wget can't find it… well, your code isn't going to work as written. Here's what would work:

  • Ignore the cert and just disable validation, as shown above.
  • Figure out where the relevant cert actually is installed and how to load it, and:
    • Pass it as the verify argument on every requests call.
    • Set it up somewhere statically and pass it in an environment variable.
    • Install it into your default cert store so everything works automatically.
    • Write an HTTPAdapter that installs it into your requests session.

First, your code is just trying to get the default cert in exactly the same way Python already does. That wincertstore module is just a backport of what's already builtin to Python 3.4+.

Second, all your code is doing is getting a cert, using it to create an SSL socket, ignoring that socket, and telling requests to do its normal thing. That isn't going to help anything. If you want to pass a cert to requests, you either do this:

requests.get(url, verify='/path/to/cert')

… or put it in the environment variable REQUESTS_CA_BUNDLE

… or do the HTTPAdapter code that I showed you in chat (and which you found an old, non-working version of somewhere unspecified). See HTTPAdapter in the docs if you actually want to do that.

Related

Strange PEP8 recommendation on comparing Boolean values to True or False
How to remove nested parentheses in LISP
Laravel - DecryptException: 'The MAC is invalid'
Eclipse Upgrade Not Working
java.util.scanner throws NoSuchElementException when application is started with gradle run
Swift - Objective-C load class method?
What is alternative to use after jQuery 1.9 removed .toggle(function,function)?
android screen orientation
AntiXSS in ASP.Net Core
What's Wrong with an ArrayList?
Rails ActiveStorage: Attach a Vips Image
Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns