Hi,
I have a Python script to backup my Corporate MS Exchange e-mails and I've been using it for the last months without issues.
(Before anyone ask me, I had to make a python script because my inbox has only 2GB of storage and IT didn't allow any other mean of backing up my e-mails.)
Today when I tried to run my script, I got the following error message:
exchangelib.errors.TransportError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
I googled the issue and even installed manually the CA Certificate on my server, but it still didn't work. I also searched topics on Exchangelib forums to issues related to mine, but I couldn't find any answer that solve my problem.
That's when I searched for "(_ssl.c:1131)" and found the Let's Encrypt post "New “bad handshake” & similar errors" and also "EOF occurred in violation of protocol (_ssl.c:1131)"
I did the tests told by rg305:
curl -4 ifconfig.co
Result:
219.110.249.87
curl -6 ifconfig.co
Result:
2407:c800:5320:57f0:2a0:98ff:fe3b:41a2
curl -Iv https://google.com/
Result:
* Trying 2404:6800:4004:823::200e:443...
* TCP_NODELAY set
* Connected to google.com (2404:6800:4004:823::200e) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.google.com
* start date: Sep 13 01:38:37 2021 GMT
* expire date: Nov 20 01:38:36 2021 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559dd88fa860)
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301
HTTP/2 301
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< date: Mon, 11 Oct 2021 03:09:30 GMT
date: Mon, 11 Oct 2021 03:09:30 GMT
< expires: Wed, 10 Nov 2021 03:09:30 GMT
expires: Wed, 10 Nov 2021 03:09:30 GMT
< cache-control: public, max-age=2592000
cache-control: public, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host google.com left intact
I am deeply sorry if this is not an issue with Let's Encrypt. I'm really not an expert but I always try to find the solutions before asking (simply because it's faster). I've been looking for an answer for the last hours, and finally think that maybe it's the same issue mnadalin had.
I'll try also to fill the pre-formatted questionary on "Create a new Topic"
My domain is: correio.agricultura.gov.br (this is NOT my domain, but my employee domain)
I ran this command: I'm running a python script that uses Exchangelib
It produced this output:
Failed to create cached protocol with key ('https://correio.agricultura.gov.br/EWS/Exchange.asmx', Credentials('username', 'password)): HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/user/.local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/transport.py", line 158, in get_service_authtype
r = s.post(url=service_endpoint, headers=headers, data=data, allow_redirects=False,
File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 590, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/home/user/.local/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "Exchange_backup_forward.py", line 65, in <module>
account = Account(EMAIL,
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/account.py", line 129, in __init__
self.protocol = Protocol(config=config)
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 401, in __call__
raise e
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 396, in __call__
protocol = super().__call__(*args, **kwargs)
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 425, in __init__
self.config.auth_type = self.get_auth_type()
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 430, in get_auth_type
auth_type, api_version_hint = get_service_authtype(
File "/home/user/.local/lib/python3.8/site-packages/exchangelib/transport.py", line 173, in get_service_authtype
raise TransportError(str(e)) from e
exchangelib.errors.TransportError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
Note: I changed my username/password and linux username on the log above
My web server is (include version): I don't have this information
The operating system my web server runs on is (include version): I don't have this information
My hosting provider, if applicable, is: I don't have this information
I can login to a root shell on my machine (yes or no, or I don't know): No
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, I'm not a admin, I'm just a user
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): I don't know