Why is letsencrypt certificate in python3 considered as self-sign?

A

akelsey2020-09-07 12:10:41

Python

akelsey, 2020-09-07 12:10:41

I connect to my ElasticSearch which is published with a LetsEncrypt certificate, thus:

from elasticsearch import Elasticsearch
#import urllib3
#urllib3.disable_warnings()

es = Elasticsearch(
    host='elastic.********.ru',
    http_auth=('******', '*********'),
    use_ssl=True,
    #verify_certs=False,
    port=9200,
)

It is clear that if you use "verify_certs=False," then everything is OK - it will connect, but if not, it considers that the certificate is self-signed, error:

C:/Users/Aleksey/AppData/Local/Programs/Python/Python38/python.exe d:/Personal/MyDocuments/_Python/Projects/Aihr/AIHR_PrepareRecommendation.py
Traceback (most recent call last):
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen       
    httplib_response = self._make_request(
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connectionpool.py", line 381, in _make_request 
    self._validate_conn(conn)
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connectionpool.py", line 978, in _validate_conn
    conn.connect()
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\connection.py", line 362, in connect
    self.sock = ssl_wrap_socket(
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\site-packages\urllib3\util\ssl_.py", line 384, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\Users\Aleksey\AppData\Local\Programs\Python\Python38\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)

Attention to the question of where python3 stores its trusted root list - the behavior when connecting to the endpoint is the same both under windows python and python under ubuntu 18.04. I checked with openssl - the certificate is trusted and correct, everything is ok in the browser too.
Where to fix something so that python would trust the certificates issued by letsencrypt?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vladimir Kuts, 2020-09-07
@akelsey

Read the documentation :

CA certificates
If you are going to require validation of the other side of the connection's certificate, you need to provide a “CA certs” file, filled with the certificate chains for each issuer you are willing to trust. Again, this file just contains these chains concatenated together. For validation, Python will use the first chain it finds in the file which matches. The platform's certificates file can be used by calling SSLContext.load_default_certs(), this is done automatically with create_default_context().

Yes, look where the root certificates come from in your case:

SSLContext.load_default_certs(purpose=Purpose.SERVER_AUTH)¶
Load a set of default “certification authority” (CA) certificates from default locations. On Windows it loads CA certs from the CA and ROOT system stores. On other systems it calls SSLContext.set_default_verify_paths(). In the future the method may load CA certificates from other locations, too.
The purpose flag specifies what kind of CA certificates are loaded. The default settings Purpose.SERVER_AUTH loads certificates, that are flagged and trusted for TLS web server authentication (client side sockets). Purpose.CLIENT_AUTH loads CA certificates for client certificate verification on the server side.