SSL: CERTIFICATE_VERIFY_FAILED unable to get local issuer certificate
maltfield opened this issue · 5 comments
maltfield commented
The python3.7 AppImage released by this repo appears to be unable to make safe https requests using the python built-in urllib module. Any request over https results in the following error:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
Steps to Reproduce
wget https://github.com/niess/python-appimage/releases/download/python3.7/python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
chmod +x python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
./python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage -c "import urllib.request; urllib.request.urlopen('https://wikipedia.org' )"
Example Execution
user@disp569:~$ wget https://github.com/niess/python-appimage/releases/download/python3.7/python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
--2020-08-09 18:19:04-- https://github.com/niess/python-appimage/releases/download/python3.7/python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
Resolving github.com (github.com)... 140.82.118.3
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/251001753/16f68580-d46d-11ea-8073-30739bb2f961?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200809%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200809T123406Z&X-Amz-Expires=300&X-Amz-Signature=e9a3c5ba6eb1091ce71cb60a26965550af337ef911e3cfefc55aa1f3540447e8&X-Amz-SignedHeaders=host&actor_id=0&repo_id=251001753&response-content-disposition=attachment%3B%20filename%3Dpython3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage&response-content-type=application%2Foctet-stream [following]
--2020-08-09 18:19:05-- https://github-production-release-asset-2e65be.s3.amazonaws.com/251001753/16f68580-d46d-11ea-8073-30739bb2f961?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200809%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200809T123406Z&X-Amz-Expires=300&X-Amz-Signature=e9a3c5ba6eb1091ce71cb60a26965550af337ef911e3cfefc55aa1f3540447e8&X-Amz-SignedHeaders=host&actor_id=0&repo_id=251001753&response-content-disposition=attachment%3B%20filename%3Dpython3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.133.99
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.133.99|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17485864 (17M) [application/octet-stream]
Saving to: ‘python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage’
python3.7.8-cp37-cp 100%[===================>] 16.68M 1.02MB/s in 14s
2020-08-09 18:19:21 (1.17 MB/s) - ‘python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage’ saved [17485864/17485864]
user@disp569:~$
user@disp569:~$ chmod +x python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
user@disp569:~$ ./python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage -c "import urllib.request; urllib.request.urlopen( 'https://wikipedia.org' )"
Traceback (most recent call last):
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 1262, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 1308, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 1257, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 1028, in _send_output
self.send(msg)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 968, in send
self.connect()
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/http/client.py", line 1432, in connect
server_hostname=server_hostname)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/ssl.py", line 423, in wrap_socket
session=session
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/ssl.py", line 870, in _create
self.do_handshake()
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 1393, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/tmp/.mount_pythonqGMWe3/opt/python3.7/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)>
user@disp569:~$
Expected Behaviour
The built-in python3 to debian 10 makes the request without any certificate issues
user@disp569:~$ cat /etc/issue
Debian GNU/Linux 10 \n \l
user@disp569:~$ sudo dpkg -l | grep python3
ii libpython3-stdlib:amd64 3.7.3-1 amd64 interactive high-level object-oriented language (default python3 version)
ii libpython3.7:amd64 3.7.3-2+deb10u2 amd64 Shared Python runtime library (version 3.7)
ii libpython3.7-minimal:amd64 3.7.3-2+deb10u2 amd64 Minimal subset of the Python language (version 3.7)
ii libpython3.7-stdlib:amd64 3.7.3-2+deb10u2 amd64 Interactive high-level object-oriented language (standard library, version 3.7)
ii python3 3.7.3-1 amd64 interactive high-level object-oriented language (default python3 version)
ii python3-apt 1.8.4.1 amd64 Python 3 interface to libapt-pkg
ii python3-asn1crypto 0.24.0-1 all Fast ASN.1 parser and serializer (Python 3)
ii python3-bcrypt 3.1.6-1 amd64 password hashing library for Python 3
ii python3-cairo:amd64 1.16.2-1+b1 amd64 Python3 bindings for the Cairo vector graphics library
ii python3-certifi 2018.8.24-1 all root certificates for validating SSL certs and verifying TLS hosts (python3)
ii python3-cffi-backend 1.12.2-1 amd64 Foreign Function Interface for Python 3 calling C code - runtime
ii python3-chardet 3.0.4-3 all universal character encoding detector for Python3
ii python3-croniter 0.3.24-2 all provides iteration for datetime object with cron like format - Python 3.x
ii python3-crypto 2.6.1-9+b1 amd64 cryptographic algorithms and protocols for Python 3
ii python3-cryptography 2.6.1-3+deb10u2 amd64 Python library exposing cryptographic recipes and primitives (Python 3)
ii python3-cups 1.9.73-2+b1 amd64 Python3 bindings for CUPS
ii python3-cupshelpers 1.5.11-4 all Python utility modules around the CUPS printing system
ii python3-daemon 2.2.3-1 all library for making a Unix daemon process Python 3
ii python3-dateutil 2.7.3-3 all powerful extensions to the standard Python 3 datetime module
ii python3-dbus 1.2.8-3 amd64 simple interprocess messaging system (Python 3 interface)
ii python3-debconf 1.5.71 all interact with debconf from Python 3
ii python3-debian 0.1.35 all Python 3 modules to work with Debian-related data formats
ii python3-debianbts 2.8.2 all Python interface to Debian's Bug Tracking System
ii python3-distro 1.3.0-1 all Linux OS platform information API
ii python3-distutils 3.7.3-1 all distutils package for Python 3.x
ii python3-gi 3.30.4-1 amd64 Python 3 bindings for gobject-introspection libraries
ii python3-gi-cairo 3.30.4-1 amd64 Python 3 Cairo bindings for the GObject library
ii python3-httplib2 0.11.3-2 all comprehensive HTTP client library written for Python3
ii python3-idna 2.6-1 all Python IDNA2008 (RFC 5891) handling (Python 3)
ii python3-jinja2 2.10-2 all small but fast and easy to use stand-alone template engine
ii python3-jmespath 0.9.4-1 all JSON Matching Expressions (Python 3)
ii python3-kerberos 1.1.14-2 amd64 GSSAPI interface module - Python 3.x
ii python3-lib2to3 3.7.3-1 all Interactive high-level object-oriented language (2to3, version 3.6)
ii python3-libcloud 2.4.0-1 all unified Python interface into the cloud (Python3 version)
ii python3-lockfile 1:0.12.2-2 all file locking library for Python Python 3 library
ii python3-markupsafe 1.1.0-1 amd64 HTML/XHTML/XML string library for Python 3
ii python3-minimal 3.7.3-1 amd64 minimal subset of the Python language (default python3 version)
ii python3-msgpack 0.5.6-1+b1 amd64 Python 3 implementation of MessagePack format
ii python3-nacl 1.3.0-2 amd64 Python bindings to libsodium (Python 3)
ii python3-netaddr 0.7.19-1 all manipulation of various common network address notations (Python 3)
ii python3-ntlm-auth 1.1.0-1 all NTLM low-level Python library
ii python3-numpy 1:1.16.2-1 amd64 Fast array facility to the Python 3 language
ii python3-olefile 0.46-1 all Python module to read/write MS OLE2 files
ii python3-paramiko 2.4.2-0.1 all Make ssh v2 connections (Python 3)
ii python3-pil:amd64 5.4.1-2+deb10u2 amd64 Python Imaging Library (Python3)
ii python3-pkg-resources 40.8.0-1 all Package Discovery and Resource Access using pkg_resources
ii python3-psutil 5.5.1-1 amd64 module providing convenience functions for managing processes (Python3)
ii python3-pyasn1 0.4.2-3 all ASN.1 library for Python (Python 3 module)
ii python3-pycurl 7.43.0.2-0.1 amd64 Python bindings to libcurl (Python 3)
ii python3-pysimplesoap 1.16.2-1 all simple and lightweight SOAP Library (Python 3)
ii python3-qubesdb 4.0.13-1+deb10u1 amd64 QubesDB python bindings.
ii python3-reportbug 7.5.3~deb10u1 all Python modules for interacting with bug tracking systems
ii python3-requests 2.21.0-1 all elegant and simple HTTP library for Python3, built for human beings
ii python3-requests-kerberos 0.11.0-2 all Kerberos/GSSAPI authentication handler for python-requests - Python 3.x
ii python3-requests-ntlm 1.1.0-1 all Adds support for NTLM authentication to the requests library
ii python3-scour 0.37-2 all SVG scrubber and optimizer (Python 3 module)
ii python3-selinux 2.8-1+b1 amd64 Python3 bindings to SELinux shared libraries
ii python3-simplejson 3.16.0-1 amd64 simple, fast, extensible JSON encoder/decoder for Python 3.x
ii python3-six 1.12.0-1 all Python 2 and 3 compatibility library (Python 3 interface)
ii python3-smbc 1.0.15.6-1+b2 amd64 Python 3 bindings for the Samba client library
ii python3-tornado4 4.5.3-3 amd64 scalable, non-blocking web server and tools - Python 3 package
ii python3-tz 2019.1-1 all Python3 version of the Olson timezone database
ii python3-uno 1:6.1.5-3+deb10u6 amd64 Python-UNO bridge
ii python3-urllib3 1.24.1-1 all HTTP library with thread-safe connection pooling for Python3
ii python3-winrm 0.3.0-2 all Python 3 library for Windows Remote Management
ii python3-xcffib 0.8.1-1+deb10u1 amd64 This package is a Python binding for XCB (Python 3)
ii python3-xdg 0.25-5 all Python 3 library to access freedesktop.org standards
ii python3-xmltodict 0.11.0-2 all Makes working with XML feel like you are working with JSON (Python 3)
ii python3-yaml 3.13-2 amd64 YAML parser and emitter for Python3
ii python3.7 3.7.3-2+deb10u2 amd64 Interactive high-level object-oriented language (version 3.7)
ii python3.7-minimal 3.7.3-2+deb10u2 amd64 Minimal subset of the Python language (version 3.7)
user@disp569:~$ python3.7 --version
Python 3.7.3
user@disp569:~$ python3.7 -c "import urllib.request; urllib.request.urlopen( 'https://wikipedia.org' )"
user@disp569:~$
srevinsaju commented
Can reproduce on Arch Linux with ./python3.7.8-cp37-cp37m-manylinux2014_x86_64.AppImage
srevinsaju commented
Might be related. The AppImage might not have packaged the symlink to the certs.pem
srevinsaju commented
@maltfield this might help as well
>>> import urllib.request
>>> import certifi
>>>
>>> resp = urllib.request.urlopen('https://wikipedia.org', cafile=certifi.where())maltfield commented
@srevinsaju That workaround is successful, thank you!
niess commented
Hello @maltfield . Thank you for reporting this issue. @srevinsaju Thank you for debugging this :)
I updated python-appimage such that if any SSL_CERT_FILE is found in the env (e.g. on manylinux) then it is bundled in the AppImage and exported in AppRun. So, @maltfield your issue should be solved with the latest AppImages.
Hopefully this patch won't generate new issues.