Help thread for DST Root CA X3 expiration (September 2021)

mpapenbr · October 3, 2021, 7:14am

I had some trouble using Python 3.9 on Windows 10
The standard way (up to 2021-09-30) was:

Python 3.9.5 (tags/v3.9.5:0a7dcbd, May  3 2021, 17:27:52) [MSC v.1928 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> ret = http.request("GET", "https://community.letsencrypt.org")

which now produced the exception

Traceback (most recent call last):
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\util\ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "C:\dev\git\playground-python\env\lib\site-packages\urllib3\util\ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\dev\Python\Python39\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\dev\Python\Python39\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\dev\Python\Python39\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)

Note: On Ubuntu 20.04 the above snippet still works out of the box, it was just Windows that caused trouble.

For Windows using certifi solved my problem.

>>> import certifi
>>> import urllib3
>>> http = urllib3.PoolManager(cert_reqs="CERT_REQUIRED", ca_certs=certifi.where())
>>> ret = http.request("GET", "https://community.letsencrypt.org")
>>> ret.status
200

Topic		Replies	Views
IdenTrust DST Root CA X3 expiry Help	18	5235	November 6, 2021
Broken links on doc page for DST Root CA X3 Expiration Site Feedback	7	2336	May 9, 2021
Feedback wanted: DST Root CA X3 expiration all-subscriber email Issuance Tech	14	3011	May 6, 2021
Expiration or revokation of DST Root CA X3 Help	4	4034	January 1, 2018
Expiration of DST Root CA X3 and Ingenico POS Help	21	1840	October 24, 2021

Help thread for DST Root CA X3 expiration (September 2021)

Related topics