SSL: CERTIFICATE_VERIFY_FAILED with Python3 [duplicate]

Asked 23/2, 2016 at 4:47 Answered 20/8, 2022 at 7:30

107

I apologize if this is a silly question, but I have been trying to teach myself how to use BeautifulSoup so that I can create a few projects.

I was following this link as a tutorial: https://www.youtube.com/watch?v=5GzVNi0oTxQ

After following the exact same code as him, this is the error that I get:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 1240, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1083, in request
    self._send_request(method, url, body, headers)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1128, in _send_request
    self.endheaders(body)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1079, in endheaders
self._send_output(message_body)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 911, in _send_output
    self.send(msg)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 854, in send
    self.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/http/client.py", line 1237, in connect
server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 376, in wrap_socket
_context=self)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 747, in __init__
self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 983, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 628, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "WorldCup.py", line 3, in <module>
    x = urllib.request.urlopen('https://www.google.com')
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 162, in urlopen
    return opener.open(url, data, timeout)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 465, in open
    response = self._open(req, data)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 483, in _open
'_open', req)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 443, in _call_chain
    result = func(*args)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 1283, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/urllib/request.py", line 1242, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]     certificate verify failed (_ssl.c:645)>

Can someone help me figure out how to fix this?

Nog answered 23/2, 2016 at 4:47 Comment(5)

What URL are you trying? Does the host use a self-signed certificate? – Omophagia 23/2, 2016 at 5:4

www.google.com, like he did in the video. My code is the same as his. – Nog 23/2, 2016 at 5:11

I get the same error with any other website that I use, i.e. youtube.com, wikipedia.com etc – Nog 23/2, 2016 at 5:13

Maybe #35276040 – Omophagia 23/2, 2016 at 5:15

I got the same error as earlier. It's not working "/ I know it was workinge arlier because I was able to use it on another website. – Nog 23/2, 2016 at 5:21

185

In my case, I used the ssl module to "workaround" the certification like so:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

Then to read your link content, you can use:

urllib.request.urlopen(urllink)

Note that whilst this will make the code work, it removes security protections.

Rehabilitation answered 8/3, 2018 at 13:31 Comment(10)

Great solution. Worked and helped me figure out what was going on in the first place. – Euclid 2/5, 2018 at 17:55

worked perfectly well, i couldn't find the "Install Certificates.command", but this solution worked perfectly well for certificate issue. – Indianapolis 27/1, 2019 at 12:1

NameError: name 'urllib' is not defined – Rutheruthenia 17/2, 2019 at 20:55

@BrianD check your version of Python. urllib import path has changed in recent versions of Python. – Garrulity 18/2, 2019 at 16:8

This worked for me as well. I wasn't able to find the "Install Certificates.command" file either. I'm on Windows. – Taggart 1/3, 2019 at 16:21

Works with pandas too. – Frondescence 21/5, 2019 at 3:15

For a weird reason certificates didn't work for me, but this workaround did the job. – Katerine 21/1, 2020 at 21:19

@Rehabilitation I face this error when trying to upload my package to artifactory. Where should I add these two lines since my package has many modules? – Clive 5/3, 2021 at 6:50

How do I get the page content from urllib.request.urlopen(urllink) ? In other words, what is equivalent of requests.get(MY_URL).content? – Adi 17/3, 2021 at 23:53

Worked for me - easy fix. – Decemvirate 20/9, 2021 at 14:44

138

Go to the folder where Python is installed, e.g., in my case (Mac OS) it is installed in the Applications folder with the folder name 'Python 3.6'. Now double click on 'Install Certificates.command'. You will no longer face this error.

For those not running a mac, or having a different setup and can't find this file, the file merely runs:

pip install --upgrade certifi

Tingley answered 8/5, 2017 at 19:4 Comment(4)

What is the significance of the code - what change did it apply - care to explain ? – Greenness 13/3, 2018 at 1:2

To the people saying they can't find this file - this solution is only Apple products. – Nealneala 18/11, 2019 at 9:32

Thank you very much! Also it worked on Python3.7 :) – Colonialism 10/12, 2019 at 1:42

This and only this command worked. It installed the right certificates. I have tried numuours and had lost trust with stackoverflwo. – Decrement 20/8, 2020 at 15:4

On Debian 9 I had to:

$ sudo update-ca-certificates --fresh
$ export SSL_CERT_DIR=/etc/ssl/certs

I'm not sure why, but this enviroment variable was never set.

Portiaportico answered 15/10, 2019 at 12:22 Comment(6)

Thank you, I faced the same issue on Raspbian Stretch after manually installing Python 3.8, and solved setting that environment variable. – Coonskin 17/10, 2019 at 18:55

It might not even be necessary to update certificates - in my case, just exporting the path worked. – Nealneala 18/11, 2019 at 9:30

I started having this problem after installing a new pip package. As @Nealneala mentioned just exporting the path worked for me as well on Ubuntu 20.04. – Olive 26/9, 2020 at 19:32

The 2nd line worked on Mac OS Big Sur for me. – Hurlburt 8/10, 2021 at 20:53

This worked for me on Ubuntu20.04 after Dropbox was failing to install. Exactly what I was looking for. – Nimbus 27/3, 2022 at 21:48

thanks. export SSL_CERT_DIR=/etc/ssl/certs did the trick on ubuntu 20.04 – Clubfoot 6/4, 2022 at 10:14

This has changed in recent versions of the ssl library. The SSLContext was moved to it's own property. This is the equivalent of Jia's answer in Python 3.8

import ssl

ssl.SSLContext.verify_mode = ssl.VerifyMode.CERT_OPTIONAL

Humming answered 26/10, 2021 at 14:5 Comment(4)

'SSLContext' object attribute 'verify_mode' is read-only – Trotman 11/1, 2022 at 17:26

Whilst I wish there was a better way than using the protected member in Jia's answer, your new answer doesn't substitute for it. In python 3.8 I receive:

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

– Enwrap 24/1, 2022 at 12:43

I posted this answer because Jia's answer didn't work for me and this did. – Humming 26/1, 2022 at 18:28

Stack Overflow is a wiki. Instead of writing a new answer that references another answer, you should just edit that other answer to say "if version x, do y, else do z". – Tain 25/5, 2023 at 3:29

As a workaround (not secure), you can turn certificate verification off by setting PYTHONHTTPSVERIFY environment variable to 0:

export PYTHONHTTPSVERIFY=0

Winchester answered 7/3, 2022 at 12:6 Comment(0)

I have a lib what use https://requests.readthedocs.io/en/master/ what use https://pypi.org/project/certifi/ but I have a custom CA included in my /etc/ssl/certs.

So I solved my problem like this:

# Your TLS certificates directory (Debian like)
export SSL_CERT_DIR=/etc/ssl/certs
# CA bundle PATH (Debian like again)
export CA_BUNDLE_PATH="${SSL_CERT_DIR}/ca-certificates.crt"
# If you have a virtualenv:
. ./.venv/bin/activate
# Get the current certifi CA bundle
CERTFI_PATH=`python -c 'import certifi; print(certifi.where())'`

test -L $CERTFI_PATH || rm $CERTFI_PATH
test -L $CERTFI_PATH || ln -s $CA_BUNDLE_PATH $CERTFI_PATH

Et voilà !

Rachele answered 10/1, 2021 at 9:35 Comment(1)

Thanks! This seems like the best solution - I'm using using python 3.11. – Banger 13/7, 2023 at 23:34

Building on the update to Jia's 2018 answer in deltree's late 2021 one I was able to achieve equivalent functionality with:

import urllib.request
import ssl


def urllib_get_2018():
    # Using a protected member like this is not any more fragile
    # than extending the class and using it. I would use it.
    url = 'https://localhost:6667/my-endpoint'
    ssl._create_default_https_context = ssl._create_unverified_context
    with urllib.request.urlopen(url = url) as f:
        print(f.read().decode('utf-8'))


def urllib_get_2022():
    # Finally! Able to use the publice API. Happy happy!
    url = 'https://localhost:6667/my-endpoint'
    scontext = ssl.SSLContext(ssl.PROTOCOL_TLS)
    scontext.verify_mode = ssl.VerifyMode.CERT_NONE
    with urllib.request.urlopen(url = url, context=scontext) as f:
        print(f.read().decode('utf-8'))

I needed to use CERT_NONE instead of CERT_OPTIONAL as well as creating a ssl.SSLContext(ssl.PROTOCOL_TLS) to pass to urlopen.

It's important to keep using urllib as it makes sense when working with small container images where pip might not be installed, yet.

Enwrap answered 24/1, 2022 at 13:49 Comment(0)

When you are using a self signed cert urllib3 version 1.25.3 refuses to ignore the SSL cert

To fix remove urllib3-1.25.3 and install urllib3-1.24.3

pip3 uninstall urllib3

pip3 install urllib3==1.24.3

Tested on Linux MacOS and Window$

Wrack answered 11/9, 2019 at 14:25 Comment(3)

i tried this but it did not work for me (still getting the same error). In my case I think the certificates are valid but are not being used. – Nous 20/9, 2019 at 21:26

If your target has a valid certificate you don't need this fix. To check if you site has a valid certificate run: curl https://target.web.site/ If you get a message "SSL certificate problem: self signed certificate" you have a self signed certificate on your target. If you get a proper answer from the site then the certificate is valid. – Wrack 22/9, 2019 at 13:47

Yeah the error I'm seeing is that my local machine's certificates are not being used. The target's certificates are fine. – Nous 23/9, 2019 at 17:42

I faced the same issue with Ubuntu 20.4 and have tried many solutions but nothing worked out. Finally I just checked openssl version. Even after update and upgrade, the openssl version showed OpenSSL 1.1.1h [22 Sep 2020]. But in my windows system, where the code works without any issue, openssl version is OpenSSL 1.1.1k 25 Mar 2021.

I decided to update the openssl manually and it worked! Thank God!!!

Steps are as follows(Ubuntu 20.4):

*To check openssl version

openssl version -a

*To update openssl:

sudo apt install build-essential checkinstall zlib1g-dev

cd /usr/local/src/

sudo wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

sudo tar -xf openssl-1.1.1k.tar.gz

cd openssl-1.1.1k

sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
sudo make
sudo make test
sudo make install

cd /etc/ld.so.conf.d/
sudo nano openssl-1.1.1k.conf

*Type /usr/local/ssl/lib and save

sudo ldconfig -v
sudo nano /etc/environment

*Add ':/usr/local/ssl/bin' to the path

source /etc/environment
echo $PATH

*Now check openssl version

openssl version -a

Solomonsolon answered 1/12, 2021 at 7:40 Comment(0)

you might exec command: pip install --upgrade certifi or you might opened charles/fiddler, just close it

Appliance answered 20/8, 2022 at 7:30 Comment(0)

-2

I had this problem in MacOS, and I solved it by linking the brew installed python 3 version, with

brew link python3

After that, it worked without a problem.

Suburbanite answered 11/2, 2020 at 20:13 Comment(1)

While just installing python3 via Brew may resolve this issue, it does not address the root cause. FYI for anyone checking out this answer. – Trappist 21/4, 2021 at 19:19

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags