Python3 not utilizing added CA certificates
I cannot get Python to recognize the default system concatenated CAfile by default.
After installing python3, libressl, libressl-devel, and ca-certificates, I added several more CA certificates to /usr/local/share/ca-certificates, ran update-ca-certificates, and confirmed that the certs were added to /etc/ssl/certs/ca-certificates.crt.
However, attempting to use pip3 to install a package from an index server using a certificate signed by the CA returns the following error:
Could not fetch URL https://pydev.example.com/develop/pydev/awesome-package/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749) - skipping
Confirmed via curl that the cert is present and works:
/usr/local/share/ca-certificates # curl -Ikv https://pydev.example.com
- Rebuilt URL to: https://pydev.example.com/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 —:—:— —:—:— —:—:— 0* Trying 192.0.2.1… - TCP_NODELAY set
- Connected to pydev.example.com (192.0.2.1) port 443 (#0)
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none - TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data] - TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data] - TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3443 bytes data] - TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data] - TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data] - TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data] - TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data] - TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data] - TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data] - TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data] - SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: C=US; ST=IL; L=Chicago; O=A; CN=pydev.example.com
- start date: Oct 18 14:11:02 2017 GMT
- expire date: Oct 17 14:11:02 2020 GMT
- issuer: DC=com; DC=example; CN=CA05
- SSL certificate verify ok.
Additional detail from Python3 SSL module:
/ # python3
Python 3.6.1 (default, Oct 2 2017, 20:46:59)
[GCC 6.3.0] on linux
Type “help”, “copyright”, “credits” or “license” for more information.
>>>import ssl
>>>ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=‘/etc/ssl/certs’,
openssl_cafile_env=‘SSL_CERT_FILE’,
openssl_cafile=‘/etc/ssl/cert.pem’,
openssl_capath_env=‘SSL_CERT_DIR’, openssl_capath=‘/etc/ssl/certs’)
(from redmine: issue id 8135, created on 2017-11-12)