Python TLS Certificate Verification
up vote
0
down vote
favorite
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status {}'.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 at 17:54
dcs3spp
215
add a comment |
up vote
0
down vote
favorite
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status {}'.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 at 17:54
dcs3spp
215
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status {}'.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
asked Nov 12 at 17:54
dcs3spp
215
I am using the Tus Py Client , in a macos High Sierra environment running Python 3.6.6. I am trying to make a HTTPS request to a tusd server.
The tusd server is running successfully behind an nginx proxy with an SSL terminated connection. I can visit the /files/ endpoint successfully in a browser via an SSL/TLS connection.
I am receiving an SSL: CERTIFICATE_VERIFY_FAILED error from
Tus Py Client when making the connection request. Looking at the source code, Tus Py Client uses the requests library to make a web request:
@_catch_requests_error
def create_url(self):
"""
Return upload url.
Makes request to tus server to create a new upload url for the required file upload.
"""
headers = self.headers
headers['upload-length'] = str(self.file_size)
headers['upload-metadata'] = ','.join(self.encode_metadata())
resp = requests.post(self.client.url, headers=headers)
url = resp.headers.get("location")
if url is None:
msg = 'Attempt to retrieve create file url with status {}'.format(resp.status_code)
raise TusCommunicationError(msg, resp.status_code, resp.content)
return urljoin(self.client.url, url)
If I make a HTTPS request to the tusd server manually from within a python shell, specifying the root certificate to the verify parameter, I can successfully connect:
import requests
resp=requests.get('https://test.example.com:1081/files',verify=<absolute path to cert file>)
However, the Tus Py Client does not appear to offer this override.
I understand that Python 3.6+ now has it's own internal certificate store, so that explains why the trusted certificate in the macos keystore is ignored.
Then I read the documentation for the requests library. This suggests using the REQUESTS_CA_BUNDLE environment variable to specify trusted CAs. Indeed, after setting the environment variable with the path to the root CA certificate I was able to make the HTTPS request using the Tus-Py-Client library.
Am I on the right track with this solution, or is there a better way?
Kind Regards
dcs3spp
python-requests python-3.6 macos-high-sierra
python-requests python-3.6 macos-high-sierra
asked Nov 12 at 17:54
dcs3spp
215
asked Nov 12 at 17:54
dcs3spp
215
asked Nov 12 at 17:54
dcs3spp
215
asked Nov 12 at 17:54
dcs3spp
215
asked Nov 12 at 17:54
dcs3spp
215
215
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53267585%2fpython-tls-certificate-verification%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
