I’ve recently started an internship at a company with pretty strict IT policies. I’m the only developer at the company and it is clear that I’m running into problems that most likely don’t affect anyone else here, which makes them difficult to resolve. IT has inserted their own SSL certificate at the proxy level (probably to monitor network traffic), which has led to problems making HTTPS requests. I have found what I believe to be the correct certificate and it has worked to allow me to install packages with conda. However, HTTPS requests made with python’s requests package still error out even when they are given the correct certificate.
Here’s a really simple attempt at an HTTPS request to https://example.com:
import requests
url = "https://example.com"
response = requests.get(url, cert = "/temp/certs/certificate.pem")
And all of the output:
python : Traceback (most recent call last):
At line:1 char:1
+ python main.py 2>%1 > bruh.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Traceback (most recent call last)::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 1042, in _validate_conn
conn.connect()
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\util\ssl_.py", line 418, in ssl_wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3921)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\adapters.py", line 487, in send
resp = conn.urlopen(
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\connectionpool.py", line 787, in urlopen
retries = retries.increment(
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\urllib3\util\retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3921)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "(file location)", line 27, in <module>
response = requests.get(url, cert = "/temp/certs/certificate.pem")
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "C:\Users\J1P\AppData\Local\anaconda3\envs\schedule_tracker\lib\site-packages\requests\adapters.py", line 518, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(9, '[SSL] PEM lib (_ssl.c:3921)')))
This is different than the error produced when no certificate is provided, which references a self-signed certificate.
Edit: The request does go through when SSL verification is set to false, but obviously that isn’t really a solution.
>Solution :
The cert option of the request is meant to be for the client certificate authentication. What I believe you are trying to do is to add a trusted CA for the request. For this use the verify option.
response = requests.get(url, verify = "/temp/certs/certificate.pem")
You can find the difference in the documentation.