Forums

SSL: CERTIFICATE_VERIFY_FAILED

hi, when i'm trying to read the file from my static folder with urllib.request.urlretrieve , i've got

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>

I have Auto-renewing Let's Encrypt certificate setup, so why is it so?

Here is the full traceback:

```

Traceback (most recent call last): File "/usr/lib/python3.6/urllib/request.py", line 1318, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/usr/lib/python3.6/http/client.py", line 1239, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1285, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1234, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.6/http/client.py", line 1026, in _send_output self.send(msg) File "/usr/lib/python3.6/http/client.py", line 964, in send self.connect() File "/usr/lib/python3.6/http/client.py", line 1400, in connect server_hostname=server_hostname) File "/usr/lib/python3.6/ssl.py", line 401, in wrap_socket _context=self, _session=session) File "/usr/lib/python3.6/ssl.py", line 808, in init self.do_handshake() File "/usr/lib/python3.6/ssl.py", line 1061, in do_handshake self._sslobj.do_handshake() File "/usr/lib/python3.6/ssl.py", line 683, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/home/teman77/botsarmydev/Beauty_Bot/sendout.py", line 98, in <module> print(File('').yclients_xlsx('https://www.botsarmy.biz/static/20e425b9-e954-4b3c-b228-576c04567120.xlsx', '')) File "/home/teman77/botsarmydev/Beauty_Bot/sendout.py", line 46, in yclients_xlsx self.send(msg) urllib.request.urlretrieve(file_link, path + filenameXLS) File "/usr/lib/python3.6/urllib/request.py", line 248, in urlretrieve with contextlib.closing(urlopen(url, data)) as fp: File "/usr/lib/python3.6/urllib/request.py", line 223, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python3.6/urllib/request.py", line 526, in open response = self._open(req, data) File "/usr/lib/python3.6/urllib/request.py", line 544, in _open '_open', req) File "/usr/lib/python3.6/urllib/request.py", line 504, in _call_chain result = func(*args) File "/usr/lib/python3.6/urllib/request.py", line 1361, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib/python3.6/urllib/request.py", line 1320, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)>

```

Beloved premium user teman77 | 34 posts | Oct. 4, 2021, 8:57 a.m. | permalink

You can use your browser to check the certificate for your site. If you click the lock icon in the address bar to see what might be the issue with the certificate.

Staff glenn | 279 posts | PythonAnywhere staff | Oct. 4, 2021, 9:56 a.m. | permalink

In browser it shows that everything is ok, here is the test link: https://www.botsarmy.biz/static/1.txt

but the problem is still in place

Beloved premium user teman77 | 34 posts | Oct. 4, 2021, 12:53 p.m. | permalink

now i get another error but now the same problem with requests to other domains.

Does it mean that the the problem somewhere in urllib or any other package?

Traceback (most recent call last):
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/connection.py", line 426, in connect
    tls_in_tls=tls_in_tls,
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
    sock, context, tls_in_tls, server_hostname=server_hostname
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.6/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 756, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/home/teman77/.local/lib/python3.6/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='admin.p1sms.ru', port=443): Max retries exceeded with url: /apiSms/create (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/teman77/botsarmy/messages_runner2.py", line 116, in <module>
    wapp_check = check_wapp_exist_and_process_result(conn, msg['msg'], whatsapp, wapp_ok_phones)
  File "/home/teman77/botsarmy/wapp.py", line 1001, in check_wapp_exist_and_process_result
    s = Sms(acc['settings']['sms_provider']).send_message(msg['phone'], msg['sms_text'], apikey=acc['settings']['sms_apikey'], sender=acc['settings']['sms_sendername'])
  File "/home/teman77/botsarmy/sms.py", line 33, in send_message
    r = requests.post(url=url, json=params)
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/api.py", line 117, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/home/teman77/.local/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='admin.p1sms.ru', port=443): Max retries exceeded with url: /apiSms/create (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),))
Beloved premium user teman77 | 34 posts | Oct. 4, 2021, 1:37 p.m. | permalink

Is your code accessing https://www.botsarmy.biz/ or are you running the code to access some other site in your www.botsarmy.biz web app?

Staff glenn | 279 posts | PythonAnywhere staff | Oct. 4, 2021, 3:06 p.m. | permalink

i do both and see the same errors when accessing my static files at https://www.botsarmy.biz/static and other sites

Beloved premium user teman77 | 34 posts | Oct. 4, 2021, 3:12 p.m. | permalink

Have you tried upgrading the version of requests that you're using? Just to be clear: Accessing a site from your web app has nothing to do with your certificate. I'm not clear on why you'd want to access your site from your web app, though. The files are on the disk, you can just read them without having to use requests to get them through the site.

Staff glenn | 279 posts | PythonAnywhere staff | Oct. 4, 2021, 4:10 p.m. | permalink

Is this related to the expiry of the root certificate used by Let's Encrypt aka "IdentTrust DST Root CA X3" ?

Beloved premium user solsTiCedHiver | 16 posts | Oct. 5, 2021, 6:44 a.m. | permalink

as i see in my logs, the error started exactly at 30 sept when IdentTrust DST Root CA X3 was expired

Beloved premium user teman77 | 34 posts | Oct. 5, 2021, 8:10 a.m. | permalink

@teman77 - you're on an older system image, so it may be the issue. You can update your system image from your Account page. admin.p1sms.ru works from the latest system image using a recent version of requests.

@solsTiCedHiver - you're on the most recent version of the system image, so it seems more likely that the site in question has an issue of some sort (possibly related to this in some way). What is the site you're having an issue with?

Staff glenn | 279 posts | PythonAnywhere staff | Oct. 5, 2021, 9:56 a.m. | permalink

@glenn I have no issue :-) I am just trying to help ...

Beloved premium user solsTiCedHiver | 16 posts | Oct. 7, 2021, 9:31 a.m. | permalink

Cool. Thanks.

Staff glenn | 279 posts | PythonAnywhere staff | Oct. 7, 2021, 9:34 a.m. | permalink

Hello,

I have a question regarding the SSL certificates. I have my custom domain on the DreamHost registry.

I want to do a redirect from the naked domain to www. I have a cname with 'www' pointing to my app, which works perfectly. But when I use Redirect option on DreamHost it creates another DNS entry for 'www' using A type to the IP that belongs to DreamHost. And then it redirects it there instead of my cname 'www'.

I don't understand why I can't simply remove DreamHost default DNS entries. But this I am trying to get over with their support.

The alternative that could work is to use cname entry for the 'www' and an alias for the naked domain. The DNS like this actually works. Using naked domain or with www points to the same app.

But! The problem is with the SSL certificate. As it was generated for the www.example.com and not for the naked domain.

What do you suggest? I would like the user to reach the same site whether he uses www or not.

  1. option: change the registry or arrange with them for possibilities to change default DNS entries.
  2. option: create another app on Pythonanywhere to handle 301 redirects.
  3. option: ??

I assume I cannot have double SSL certificates for the same site, right?

Thank you.

Beloved premium user mhostn3 | 4 posts | Jan. 22, 2024, 2:07 p.m. | permalink

Are you sure that you are putting the redirect in the right direction? Your issue sounds like you may be trying to set up a redirect from www. to the naked domain instead of the other way around.

Yes, if you point 2 different domains at the same place, the certificate will only be for one of them. You could get a wildcard certificate that would cover both.

Both of your options 1 and 2 would work.

Staff glenn | 279 posts | PythonAnywhere staff | Jan. 22, 2024, 5:46 p.m. | permalink

Dear glenn,

I could finally clarify with DreamHost. It looks like it needed 24 hours for the redirect and DNS entries to start working properly. There is still their default A entry for 'www', but it seems that it's overwritten with cname entry.

For one of my apps, it works now. I will try the same for another app I have.

Thanks!

Beloved premium user mhostn3 | 4 posts | Jan. 23, 2024, 9:26 a.m. | permalink

Great -- thanks for letting us know!

Staff pafk | 170 posts | PythonAnywhere staff | Jan. 24, 2024, 8:39 a.m. | permalink