Windows python urlopen certificate verify failed

My domain is: https://salus-it500.com/

We have a Windows App that builds by python2.7 when I debug the following codes:

import urllib2
urllib2.urlopen(url="https://salus-it500.com/", timeout=5)

It throws error:
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

I tried to renew the domain certificate and the expired has been updated:
QQ20211011-153217

But the error is still there. How can I resolve it? Thanks!

2 Likes

The certificate chain of that website is Leaf > R3 > ISRG Root X1 > DST Root CA X3 (expired). This is the default chain intended for Android compatibility. It has the disadvantage of not working for clients which validation the expiry all the way to the root certificate.

You can either turn off certificate validation in your program, see if there are any updates you can do (or extra urllib options you can set) or change your service to use the ISRG Root X1 chain.

1 Like

That would undermine the entire purpose of HTTPS, right?

Personally I would first check the certificate root store used by urllib2: is ISRG Root X1 available in the first place?

2 Likes

Thank you!

Our Windows App has been downloaded by many people, so I think changing my service to use the ISRG Root X1 chain is better.

How to change my service to use the ISRG Root X1 chain?
My service is Ubuntu 16.04.4

2 Likes

How do you manage your certificates in the first place?

2 Likes

I install the certificate as follows:

  1. Install cerbot:
    $ sudo apt-get update
    $ sudo apt-get install software-properties-common
    $ sudo add-apt-repository ppa:certbot/certbot
    $ sudo apt-get update
    $ sudo apt-get install python-certbot-nginx

  2. request certs:
    $ sudo certbot certonly --webroot -w /var/www/html/salus-it500 -d salus-it500.com -d www.salus-it500.com

  3. update nginx conf:

ssl_certificate /etc/letsencrypt/live/salus-it500.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/salus-it500.com/privkey.pem;

  1. Reload nginx:
    $ sudo nginx -s reload
2 Likes

A few things:

Installing the certbot-nginx is not really useful if you're actually not using the plugin at all. And you're not using that plugin, as you're using certonly (so no installer plugin) and the webroot authenticator plugin, so no nginx authenticator plugin used.

In any case, the certbot from the PPA is quite old. It's probably wise to switch over to the snap installation method as described here: Certbot - Ubuntuxenial Nginx (note that this quide actually does use the nginx plugin, but that's not really required: your solution with the webroot plugin is just as fine, so you don't have to change that.)

When you have a recent certbot version using snap, you can use the --preferred-chain option to choose the chain chaining up to the ISRG Root X1 root certificate.

3 Likes

Ensure you have the latest ca-certificates and openssl

Do:
sudo apt-get update
sudo apt update

Then, what shows:
sudo apt install ca-certificates openssl

I don't know what to say about: urllib2
Other than, you might have a very old version of python... ?
If that can't be upgraded, you might get through this problem quicker by switching ACME clients.

1 Like

Not the entire purpose no, the conversation would still be encrypted, just not necessarily with the party you expected it to be with!

1 Like

As far as I'm concerned, that still would undermine the entire purpose of HTTPS. The whole purpose of a certificate is authenticating the other party. For encryption just Diffie-Hellman would be fine, but no, we have the whole certificate stuff for authentication!

2 Likes

Thank you for your suggestions. I have followed @Osiris 's recommendation to install Certbot using snap and generate a new certificate using --preferred-chain option. Now our Windows App can request websites normally.

2 Likes