Python TLS Certificate Verification
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status '.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
add a comment |
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status '.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
add a comment |
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status '.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status '.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
python-requests python-3.6 macos-high-sierra
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
asked Nov 12 '18 at 17:54
dcs3sppdcs3spp
315
315
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53267585%2fpython-tls-certificate-verification%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53267585%2fpython-tls-certificate-verification%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
