urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

tip32a · April 2, 2023, 5:38am

I have 2 Windows 2019 servers. One on the internet and the other in a lab environment.
BOTH have Godaddy signed SSL certs.
BOTH can be accessed over Https with Edge, Chrome and Firefox.
I have the most simple code.

import urllib.request
page = urllib.request.urlopen(“https://test.myhost.com”).read()
print (page)

YET when trying to access the lab server I get the dreaded
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)>

I am using Pycharm 2022.3.2 and Python 3.11.2
The workstation running pycharm is Windows 10.
Both the server and the workstation are VirtualBox VMs. The live box is a physical server and as mentioned running server 2019.

This is driving me nuts.
I have tried SOOO many things…
Any help would be greatly appreciated.
Thanks
Tom

barry-scott · April 2, 2023, 9:09am

Can you browse to that URL without any need to override certificate checking in the browser?
Is the CA cert for that site in the windows trust store?

tip32a · April 2, 2023, 11:44am

Sorry, i should have been more clear. I can browse to BOTH servers via Edge, Chrome and Firefox SECURELY. ALL browsers show SECURE connections.
I have done nothing outside of install python and pycharm in the workstation.

I would have no need to modify CA Stores. If multiple browsers and access the sites without modification why would i have to modify the CA?
Thanks for the early reply.

petersuter · April 2, 2023, 12:29pm

Maybe an intermediate certificate is missing in the CA store.
Browsers apparently use “AIA chasing” in that case.
Python apparently does not.

You can check the certificate chain in your browser. E.g. for this site it’s discuss.python.org → R3 → ISRG Root X1. So if R3 is missing in your CA Store, browsers don’t mind, but Python does.

That is unless the server is configured to also send the intermediate certificate. So maybe only one of your servers does that. You can confirm that using e.g. a test tool like this which presumably shows them under “Additional Certificates (if supplied)”.

tip32a · April 2, 2023, 1:23pm

Hi Peter,
The 2 servers are identical configs. Less the SSLs. Since the Lab machine is private the link you sent will not work.

in your statement
You can check the certificate chain in your browser. E.g. for this site it’s discuss.python.org → R3 → ISRG Root X1 . So if R3 is missing in your CA Store, browsers don’t mind, but Python does.

Are you saying that my script should produce the error for this site. It does not.
import urllib.request
page = urllib.request.urlopen(“https://discuss.python.org”).read()
print (page)

This works fine.

R3 is NOT in my CA store. ISRG IS and so if godaddy ( where I received the cert from)

Thanks,

petersuter · April 2, 2023, 2:22pm

No, because this site includes the intermediate certificates. (If I interpret the result of that ssltest tool correctly.)

Did you confirm the entire certificate chain is identical in your browser? Can you check if they include the entire chain somehow?

Maybe this helps: aia · PyPI

barry-scott · April 2, 2023, 4:38pm

If you where on unix or macOS I’d suggest using openssl commands to investigate what is going on.

I do not have enough experience with Windows and certificates to know if using openssl will help.

tip32a · April 2, 2023, 7:56pm

I find it very hard to believe that a platform as well developed and supported as Python was difficulties decoding SSL. Lots of people claim to have the answer. Its to import into python or my script keys that I have to harvest from existing keys. What is the technical limitation with Python that makes this so difficult?