I am using python 3.4 with urllib3 library.
I have no difficulty using self signed certificates with this code, but when I try to use my lets encrypt certs then I run into CERTIFICATE VERIFY failed problems.
I also tried to get a handshake using
openssl s_client -connect dashboard.zibawa.com:443 -CAfile /path/to/letsencypt/fullchain.pem
This produces a successful tls handshake.
I tried with the lets encrypt intermediate or root certificates, and I could not even get ssl to work, so my question is, what CA cert should I be using and how can I get this to work with urllib3 āverify certsā?
Thanks in advance for any help.
My python code is as follows:
from requests import Request, Session
ca_certs='/path/to/letsencypt/fullchain.pem'
url= 'https://dashboard.zibawa.com/api/org'
I didnāt understand what kind of server you are using and how youāve configured it. Thatās the most important question here in order to understand what could be wrong.
fullchain.pem normally only needs to be used on the server side, not the client side. The server will normally serve the full chain needed by clients to verify the server, and the clients normally already know about the IdenTrust root (DST Root CA X3) and so can verify the chain without any additional information.
Thanks to your comments I have been able to solve the issue. I had not understood which root certificate I required.
To clearup what I was trying to do:
I had setup NGINX to serve my web app using fullchain.pem.
This worked fine in the browser (because as you say, the browser āknowsā about the letsencrypt root.
However I was having difficulty connecting to apis which were being proxied behind my NGINX server. In my case I was using python libraries (urllib3) which asks for a āca_certā path to point to my trusted root certificate.
I had not understood which root certificate to use and had been using the intermediate certs instead. (Maybe it would be useful to make the links to the DST Root more obvious(?).
SOLUTION:
Following your remarks above I copied the DST Root CA X3 from https://www.identrust.com/certificates/trustid/root-download-x3.html. I also had to add the lines ā-----BEGIN CERTIFICATE-----ā and ā-----END CERTIFICATE-----ā to my file.(Why do they make it so difficult?) Then saving this file I was able to set āca_certsā to point to this file when calling the https apps from python using urllib and āverify_certsā now works. Thanks for your help.
On most systems there are already root CAs (perhaps in /etc/ssl/certs) which Iāve seen used automatically by Python. On my system, for example, Iām able to do
without doing anything fancy. This site is itself secured with a Letās Encrypt certificate and urllib3 knew how to validate it because of my systemwide root certificate. So Iām not sure why this is possibly not the case in your environment.
I was not aware of that and it is very useful to know. But in any case I
needed to work out where to get the root from because some of my
applications are IoT and so i want to be able to guarantee they can find
the right CA. Thanks once again for all your help!