SSL Cert not being recognized in Python 3.13.x #133564
Comments
|
This is the CPython issue tracker for bugs and features, for support please open a new thread here https://discuss.python.org/c/help/7 please also post tracebacks as text rather than screenshots. I think this is #107361 you will need to pass a custom ssl context without the ssl.VERIFY_X509_STRICT flag ctx = urllib3.util.create_urllib3_context()
ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
ctx.load_verify_locations(path_to_zscaler_cert) |
|
EDIT: I made a mistake it is not working. I accidentally ran the code above on Python 3.12 Thanks! @graingert the solution you shared works! Any reason why this is a default behavior now? What should the certificate provider do to comply better to that urllib3 needs? I would like to find a way for Zscaler to provide a long-term solution. I will add tracebacks to the original post. |
|
remember to use markdown formatting when posting code from terminals: ```pytb Traceback (most recent call last): ... ``` |
|
I am new to this. I am unable to put the traceback in a collapsible section. It loses the pytb formatting |
|
We can continue this discussion on the help forums, I don't know the flags needed to fix the cert but perhaps someone on the forums does |
Bug report
Bug description:
EDIT: added Traceback in text form
My organization currently uses Zscaler for security and VPN. On top of that I have no admin rights to my Windows machine.
I have tried a whole host of solutions including one from Anaconda community HERE
What led me to pip-system-certs is this StackOverflow question that is quite similar to my situation HERE
For Python 3.12, I was able to patch the cert by using autowrapt which was kindly provided by pip-system-certs.
Details for this solution and issue documented HERE
I am writing this now is because I have received an official Zscaler certificate from my organization. However, when I proceed to use verify on requests it fails saying "Basic Constraints of CA cert not marked critical" from my understanding all this means is that a cert may be missing an extension CA:TRUE under X509v3 format.
Upon inspection my cert does have X509v3 extensions (see IMAGE 1 below with both cert details and error details)
I have shared my observations to Zscaler as well as of writing this ticket because when Zscaler VPN is off everything runs as per normal.
IMAGE 1
Traceback in text
`C:\Users\BYM1132>python Python 3.13.2 (tags/v3.13.2:4f8bb39, Feb 4 2025, 15:23:48) [MSC v.1942 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> requests.get('https://www.google.com',verify='C:\\_work\\Cert\\ZscalerRootCertificate-2048-SHA256.crt') Traceback (most recent call last): File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connectionpool.py", line 464, in _make_request self._validate_conn(conn) ~~~~~~~~~~~~~~~~~~~^^^^^^ File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connectionpool.py", line 1093, in _validate_conn conn.connect() ~~~~~~~~~~~~^^ File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connection.py", line 741, in connect sock_and_verified = _ssl_wrap_socket_and_match_hostname( sock=sock, ...<14 lines>... assert_fingerprint=self.assert_fingerprint, ) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connection.py", line 920, in _ssl_wrap_socket_and_match_hostname ssl_sock = ssl_wrap_socket( sock=sock, ...<8 lines>... tls_in_tls=tls_in_tls, ) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\util\ssl_.py", line 480, in ssl_wrap_socket ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\util\ssl_.py", line 524, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Program Files\Python313\Lib\ssl.py", line 455, in wrap_socket return self.sslsocket_class._create( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ sock=sock, ^^^^^^^^^^ ...<5 lines>... session=session ^^^^^^^^^^^^^^^ ) ^ File "C:\Program Files\Python313\Lib\ssl.py", line 1076, in _create self.do_handshake() ~~~~~~~~~~~~~~~~~^^ File "C:\Program Files\Python313\Lib\ssl.py", line 1372, in do_handshake self._sslobj.do_handshake() ~~~~~~~~~~~~~~~~~~~~~~~~~^^ ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1028) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connectionpool.py", line 787, in urlopen response = self._make_request( conn, ...<10 lines>... **response_kw, ) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connectionpool.py", line 488, in _make_request raise new_e urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1028) The above exception was the direct cause of the following exception: Traceback (most recent call last): File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\adapters.py", line 667, in send resp = conn.urlopen( method=request.method, ...<9 lines>... chunked=chunked, ) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\connectionpool.py", line 841, in urlopen retries = retries.increment( method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2] ) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\urllib3\util\retry.py", line 519, in increment raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1028)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<python-input-1>", line 1, in <module> requests.get('https://www.google.com',verify='C:\\_work\\Cert\\ZscalerRootCertificate-2048-SHA256.crt') ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\api.py", line 73, in get return request("get", url, params=params, **kwargs) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\api.py", line 59, in request return session.request(method=method, url=url, **kwargs) ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\sessions.py", line 589, in request resp = self.send(prep, **send_kwargs) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "C:\Users\BYM1132\AppData\Roaming\Python\Python313\site-packages\requests\adapters.py", line 698, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='www.google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1028)')))`CPython versions tested on:
3.13
Operating systems tested on:
Windows
The text was updated successfully, but these errors were encountered: