Skip to content
This repository has been archived by the owner on Jul 3, 2020. It is now read-only.

SSL: CERTIFICATE_VERIFY_FAILED behind proxy #148

Open
blcktgr73 opened this issue Mar 7, 2019 · 5 comments
Open

SSL: CERTIFICATE_VERIFY_FAILED behind proxy #148

blcktgr73 opened this issue Mar 7, 2019 · 5 comments

Comments

@blcktgr73
Copy link

Hi,

I have proxy server to use and try to send simple message.

token = 'Blah-Blah;
proxy_endpoint = 'http://proxyserverip:8080'
slack = Slacker(token,
http_proxy=proxy_endpoint,
https_proxy=proxy_endpoint,)
slack.chat.post_message('#somechannel', 'Hello!!')

However, error message comes as below
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

I think there is some way to walk around disabling verify with get(..., verify=False).
Is this bug? Is there a way to do this walk around?

SB

@blcktgr73
Copy link
Author

I found temporary solution on this after trying to googling more on similar issues.

Below code works fine, however this has potential security issue. In addition, I think it needed to make a way to enable and disable certification verification during slacker creation.

        response = method(API_BASE_URL.format(api=api),
                          timeout=self.timeout,
                          proxies=self.proxies,
                          verify=False,
                          **kwargs)

SB

@jonbackhaus
Copy link

jonbackhaus commented Feb 18, 2020

I have a similar issue with a twist: our firewall blocks slack.com but allows workspace.slack.com. So I think I need to change the base URL used for the API request. Any thoughts?

@blcktgr73
Copy link
Author

blcktgr73 commented Jun 17, 2020

I found a better fix for this. Actually, the root casue of this issue is that the user's own company cert file is not included in configuration file of certifi package (C:\Python\Python37-32\Lib\site-packages\certifi\cacert.pem). You can refer following link: https://stackoverflow.com/questions/52870795/windows-python-ssl-certificate-verify-failed

As described in the link, you need to add custom ca at the end of cacer.pem file.

Another link for doing this with python script : https://incognitjoe.github.io/adding-certs-to-requests.html

I think this link is also helpful understand certificate related issue for python: https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows

@os
Copy link
Owner

os commented Jun 21, 2020

I have a similar issue with a twist: our firewall blocks slack.com but allows workspace.slack.com. So I think I need to change the base URL used for the API request. Any thoughts?

Hi, @jonbackhaus. I didn't know that it's possible to use a different URL. What do you think about adding an optional init parameter like base_url or base_api_url where you can pass workspace.slack.com instead?

@os
Copy link
Owner

os commented Jun 21, 2020

I found a better fix for this. Actually, the root casue of this issue is that the user's own company cert file is not included in configuration file of certifi package (C:\Python\Python37-32\Lib\site-packages\certifi\cacert.pem). You can refer following link: https://stackoverflow.com/questions/52870795/windows-python-ssl-certificate-verify-failed

As described in the link, you need to add custom ca at the end of cacer.pem file.

Another link for doing this with python script : https://incognitjoe.github.io/adding-certs-to-requests.html

I think this link is also helpful understand certificate related issue for python: https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows

Hi, @blcktgr73. So you can fix this issue without any code changes? Do we still need the verify parameter?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants