I'm struggling at the moment to get the requests library to perform a simple GET request to a site of mine with a Let's Encrypt certificate. All's well with the site and I can access it from Chrome just fine. (I'm running OSX El Capitan at the moment).
First I tried doing a GET request to the site:
>>> import requests
>>> requests.get('https://example.com')
This gives me:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
I then tried various things, including getting hold of the Let's Encrypt authority certificate, and the following openssl command verifies my site's certificate successfully:
> openssl s_client -CAfile ./letsencryptauthorityx1.pem -connect example.com:443
The output of which included the following towards the bottom:
...
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
Start Time: 1452865123
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Perhaps I'm missing something here, but it looks to me as though my site's been verified according to the Let's Encrypt authority certificate I supplied. So, I happily changed my Python code to:
>>> requests.get('https://example.com', verify='./letsencryptauthorityx1.pem')
But I still keep getting the requests.exceptions.SSLError error. I've also tried using the DER format of the authority certificate, but then I get the following error from requests:
requests.exceptions.SSLError: unknown error (_ssl.c:2825)
Can anybody perhaps educate me as to how to go about fixing this?
解决方案
Sounds like your CA CERTS on the machine are not up to date or the web server is not configured to server the full certificate chain.