[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

Hi,

I have a Python script to backup my Corporate MS Exchange e-mails and I've been using it for the last months without issues.

(Before anyone ask me, I had to make a python script because my inbox has only 2GB of storage and IT didn't allow any other mean of backing up my e-mails.)

Today when I tried to run my script, I got the following error message:
exchangelib.errors.TransportError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

I googled the issue and even installed manually the CA Certificate on my server, but it still didn't work. I also searched topics on Exchangelib forums to issues related to mine, but I couldn't find any answer that solve my problem.

That's when I searched for "(_ssl.c:1131)" and found the Let's Encrypt post "New “bad handshake” & similar errors" and also "EOF occurred in violation of protocol (_ssl.c:1131)"

I did the tests told by rg305:
curl -4 ifconfig.co
Result:
219.110.249.87

curl -6 ifconfig.co
Result:
2407:c800:5320:57f0:2a0:98ff:fe3b:41a2

curl -Iv https://google.com/
Result:

*   Trying 2404:6800:4004:823::200e:443...
* TCP_NODELAY set
* Connected to google.com (2404:6800:4004:823::200e) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Sep 13 01:38:37 2021 GMT
*  expire date: Nov 20 01:38:36 2021 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559dd88fa860)
> HEAD / HTTP/2
> Host: google.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301 
HTTP/2 301 
< location: https://www.google.com/
location: https://www.google.com/
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< date: Mon, 11 Oct 2021 03:09:30 GMT
date: Mon, 11 Oct 2021 03:09:30 GMT
< expires: Wed, 10 Nov 2021 03:09:30 GMT
expires: Wed, 10 Nov 2021 03:09:30 GMT
< cache-control: public, max-age=2592000
cache-control: public, max-age=2592000
< server: gws
server: gws
< content-length: 220
content-length: 220
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

< 
* Connection #0 to host google.com left intact

I am deeply sorry if this is not an issue with Let's Encrypt. I'm really not an expert but I always try to find the solutions before asking (simply because it's faster). I've been looking for an answer for the last hours, and finally think that maybe it's the same issue mnadalin had.

I'll try also to fill the pre-formatted questionary on "Create a new Topic"

My domain is: correio.agricultura.gov.br (this is NOT my domain, but my employee domain)

I ran this command: I'm running a python script that uses Exchangelib

It produced this output:

Failed to create cached protocol with key ('https://correio.agricultura.gov.br/EWS/Exchange.asmx', Credentials('username', 'password)): HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/transport.py", line 158, in get_service_authtype
    r = s.post(url=service_endpoint, headers=headers, data=data, allow_redirects=False,
  File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 590, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/user/.local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/home/user/.local/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "Exchange_backup_forward.py", line 65, in <module>
    account = Account(EMAIL,
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/account.py", line 129, in __init__
    self.protocol = Protocol(config=config)
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 401, in __call__
    raise e
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 396, in __call__
    protocol = super().__call__(*args, **kwargs)
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 425, in __init__
    self.config.auth_type = self.get_auth_type()
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/protocol.py", line 430, in get_auth_type
    auth_type, api_version_hint = get_service_authtype(
  File "/home/user/.local/lib/python3.8/site-packages/exchangelib/transport.py", line 173, in get_service_authtype
    raise TransportError(str(e)) from e
exchangelib.errors.TransportError: HTTPSConnectionPool(host='correio.agricultura.gov.br', port=443): Max retries exceeded with url: /EWS/Exchange.asmx (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))

Note: I changed my username/password and linux username on the log above

My web server is (include version): I don't have this information

The operating system my web server runs on is (include version): I don't have this information

My hosting provider, if applicable, is: I don't have this information

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, I'm not a admin, I'm just a user

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't know

1 Like

Hi @gokekun and welcome to the LE community forum :slight_smile:

curl -Ii correio.agricultura.gov.br
HTTP/1.1 302 Redirect
Content-Length: 162
Content-Type: text/html; charset=UTF-8
Location: https://correio.agricultura.gov.br/owa/
Server: Microsoft-IIS/10.0
Date: Mon, 11 Oct 2021 04:38:36 GMT

IIS is a tricky beast.
You should review some of the topics here specifically addressing "Windows/IIS".

@rg305, thank you for replying and showing me where to go.

I'll study about IIS.

Best regards,

And specifically where IIS is still sending the ancient certificate chain which hasn't been in use since May this year. It's still sending the R3-signed-by-DST Root CA X3 where it should send R3-signed-by-ISRG Root X1, with optionally including ISRG Root X1-signed-by-DST Root CA X3.

1 Like

Osiris, thank you for your reply.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.