0

I try to access a self signed web server with python requests. While everything works (firefox, openssl), my python program still fail to validate the certificate.

For testing the certificate works I use:

openssl s_client -CAfile selfsigned.xython.fr.crt -servername fqdn -connect selfsigned.xython.fr:443

openssl accept the certificate with this command. If I omit the CAfile option, openssl normaly said its self-signed

Now the python script is:

#!/usr/bin/env python3
import requests
import OpenSSL
import ssl
url = 'https://selfsigned.xython.fr'
verify = 'selfsigned.xython.fr.crt'
try:
    r = requests.get(url, verify=verify)
except requests.exceptions.RequestException as e:
    cert = ssl.get_server_certificate(('selfsigned.xython.fr', 443))
    print(cert)
    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert)
    print(cert.get_issuer())
    print(cert.get_subject().get_components())
    print(e)

The exception is

HTTPSConnectionPool(host='selfsigned.xython.fr', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'selfsigned.xython.fr'. (_ssl.c:1010)")))

But all cert.get_xxx show me the right selfsigned.xython.fr So there is only requests which dont like my certificate, but I do not find why.

Any help appreciated.

EDIT:

openssl x509 -in selfsigned.xython.fr.crt -text

> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             4d:c7:6b:52:3f:6a:6a:04:a2:ca:4e:81:2b:77:ba:7c:ad:97:08:fe
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr
>         Validity
>             Not Before: Aug 28 16:56:03 2023 GMT
>             Not After : Aug 25 16:56:03 2033 GMT
>         Subject: C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 RSA Public-Key: (4096 bit)
>                 Modulus:
>                     00:d8:07:80:ff:f2:d1:ae:79:14:a0:22:e7:31:a6:
>                     47:ab:3b:ab:ee:fb:9a:a9:b8:49:5a:05:a8:64:60:
>                     bf:d4:64:21:13:ec:ba:89:08:df:1e:0f:8a:88:8e:
>                     5c:16:8f:3f:e1:ab:df:57:88:30:69:20:b5:bb:f1:
>                     8c:ee:f4:a4:8d:36:9b:4e:4b:b2:df:90:f6:ad:ac:
>                     b2:1a:d5:13:dd:8a:f9:e5:a0:65:0c:0e:47:78:f5:
>                     90:2d:7c:05:d3:81:69:bf:c6:a8:70:9b:c7:aa:4e:
>                     fe:42:13:57:eb:d9:6c:d9:68:8d:ec:83:7e:1f:15:
>                     e8:6a:c5:51:f2:4a:3a:26:43:44:a5:7f:89:8d:f0:
>                     d5:6c:67:b8:91:33:87:a1:e1:ce:7d:03:4b:16:22:
>                     92:53:f2:4c:6d:e8:82:d7:e7:51:dd:4a:9d:3a:f1:
>                     11:d1:3a:41:4a:1a:e9:1e:e5:aa:88:78:0a:40:04:
>                     ce:3c:5b:60:62:c6:30:85:42:2a:8f:ab:a3:dc:41:
>                     24:87:7c:04:42:7e:73:93:35:17:a1:a8:1c:df:5b:
>                     a5:63:a9:cf:e8:fa:82:ad:e6:c9:f7:19:65:e0:b3:
>                     19:2b:a5:e0:9e:fb:48:39:ed:4c:3d:f3:fb:de:80:
>                     c4:6f:b0:df:e1:24:e6:aa:96:fb:c2:9c:f0:11:98:
>                     7f:a6:8c:b2:ca:ff:0d:01:4d:17:ef:0e:95:c7:49:
>                     df:26:25:21:da:0c:9e:91:ff:fd:eb:33:11:8b:4b:
>                     95:89:77:4f:e9:6c:4f:61:ef:c0:23:64:8f:b4:81:
>                     e0:ce:80:68:36:ca:fa:e1:de:93:a9:72:74:ae:c5:
>                     63:4d:f6:e8:b0:9f:01:d1:f9:aa:a8:d3:fd:c4:00:
>                     e9:d8:5d:58:3b:d3:e5:82:14:8c:12:0b:b6:09:c6:
>                     24:8f:b2:99:9c:1b:04:40:ee:36:67:78:f8:cd:61:
>                     3e:ae:f6:e5:1e:23:fa:1e:b2:5a:4f:cc:8b:80:09:
>                     fd:cd:c6:b9:15:e4:e5:3f:a8:33:93:be:d3:95:db:
>                     39:46:0f:80:e2:3d:6e:c8:74:b9:4d:93:79:78:8c:
>                     25:f2:43:22:8c:4f:9b:9e:1d:0d:67:92:a8:a6:6b:
>                     6c:80:b6:b3:0d:61:13:6e:79:52:8e:72:50:9d:97:
>                     01:e5:d7:9a:2a:b0:87:32:4f:04:d2:48:69:b1:28:
>                     73:c0:29:4b:3a:2b:fb:b4:ff:f9:fc:5b:93:40:54:
>                     14:4b:73:8d:b8:16:5e:72:3b:89:92:9d:35:98:ce:
>                     30:f6:ed:99:cc:16:6a:8b:29:9a:b3:fa:56:2e:27:
>                     7f:57:3e:5a:8f:45:e3:47:a4:cc:1b:23:15:d2:9b:
>                     76:20:47
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier: 
>                 35:1A:EF:44:C7:C3:2C:70:AE:EB:AE:97:25:F6:2D:5E:9F:B9:8A:79
>             X509v3 Authority Key Identifier: 
>                 keyid:35:1A:EF:44:C7:C3:2C:70:AE:EB:AE:97:25:F6:2D:5E:9F:B9:8A:79
> 
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>     Signature Algorithm: sha256WithRSAEncryption
>          c3:0c:e1:f8:7b:0c:28:d8:4f:73:41:d2:58:2e:43:b3:88:d6:
>          dc:f0:d6:ed:78:fb:15:db:47:81:cb:20:a7:63:f3:1a:47:d8:
>          e1:07:62:ac:75:af:f9:1b:bc:06:29:2b:97:0c:d7:4f:23:f9:
>          a0:d5:9b:8b:22:72:8f:f5:05:21:d4:0b:35:f3:06:2f:46:f0:
>          5a:4d:da:17:a0:a3:70:54:7a:31:ad:81:6a:16:ce:a7:19:fb:
>          ba:fb:44:9b:d2:b2:83:94:af:94:f3:30:16:b9:da:a8:d5:21:
>          6b:b5:f8:b6:29:a8:96:ef:c5:41:8b:96:10:43:43:46:fd:8c:
>          5e:a1:b7:df:e7:cc:78:83:0b:d1:76:b3:4d:e2:e4:2d:24:c3:
>          c2:6e:fc:ae:b6:9e:d1:a1:d6:0c:72:c0:cf:f4:a9:d7:d9:0a:
>          e1:4f:7f:d0:3c:7e:75:f0:eb:66:2d:a0:f1:6b:7a:4d:59:a3:
>          02:0e:8e:be:71:61:13:af:d9:ac:60:9d:67:2f:d7:44:08:2d:
>          41:01:95:66:6c:ac:69:0c:2d:11:c4:e8:55:c3:03:59:e9:17:
>          fd:57:91:f6:ba:d3:16:21:e8:e0:ff:8d:5e:c3:40:d4:a7:b6:
>          67:76:05:97:ba:2c:2d:6b:10:63:46:89:fb:d1:4b:0b:ac:62:
>          80:61:fb:78:7e:fd:51:70:58:77:f3:d4:5f:ae:2c:3b:7b:14:
>          46:07:96:85:ce:ff:0f:1d:8a:0d:12:26:f9:e2:e5:6e:12:89:
>          80:46:bd:d4:51:4b:3d:93:25:44:24:22:22:55:03:0d:0b:ee:
>          9c:1a:86:9f:49:13:5a:57:e9:af:54:b1:b3:d1:16:e9:4e:03:
>          73:a7:29:87:3c:3b:1f:6c:a4:97:c3:dc:95:79:2c:73:50:5a:
>          a9:4d:68:37:24:0b:27:84:8f:eb:4a:c5:a8:f2:a8:a7:c7:be:
>          4a:57:9d:aa:82:a2:b1:e4:e9:e5:11:5f:14:30:8c:74:3e:ca:
>          46:d1:ab:23:cd:28:8d:9a:be:56:8d:59:6a:dd:58:ac:54:0a:
>          34:36:d8:ba:ba:7f:22:d5:10:a2:f5:af:a5:c8:41:ee:9f:84:
>          ef:4d:d3:63:ee:af:14:f4:f6:ec:15:29:2e:81:4e:75:81:2b:
>          ca:b7:1e:12:48:7f:f3:ca:50:19:ac:70:52:76:94:46:5c:f2:
>          ca:fd:b2:11:70:3c:6d:6d:12:2a:dd:aa:13:21:a5:27:d8:4d:
>          ab:ee:61:32:d3:04:67:45:1b:b9:d4:e1:c7:ee:f7:cf:fb:4e:
>          80:56:bf:f7:79:bf:87:cd:4e:78:ec:26:9b:54:83:32:2c:1c:
>          77:ee:b0:45:1e:f2:f8:09
> -----BEGIN CERTIFICATE----- MIIFvTCCA6WgAwIBAgIUTcdrUj9qagSiyk6BK3e6fK2XCP4wDQYJKoZIhvcNAQEL
> BQAwbjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFy
> aXMxDzANBgNVBAoMBnh5dGhvbjEOMAwGA1UECwwFdGVzdHMxHTAbBgNVBAMMFHNl
> bGZzaWduZWQueHl0aG9uLmZyMB4XDTIzMDgyODE2NTYwM1oXDTMzMDgyNTE2NTYw
> M1owbjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFy
> aXMxDzANBgNVBAoMBnh5dGhvbjEOMAwGA1UECwwFdGVzdHMxHTAbBgNVBAMMFHNl
> bGZzaWduZWQueHl0aG9uLmZyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
> AgEA2AeA//LRrnkUoCLnMaZHqzur7vuaqbhJWgWoZGC/1GQhE+y6iQjfHg+KiI5c
> Fo8/4avfV4gwaSC1u/GM7vSkjTabTkuy35D2rayyGtUT3Yr55aBlDA5HePWQLXwF
> 04Fpv8aocJvHqk7+QhNX69ls2WiN7IN+HxXoasVR8ko6JkNEpX+JjfDVbGe4kTOH
> oeHOfQNLFiKSU/JMbeiC1+dR3UqdOvER0TpBShrpHuWqiHgKQATOPFtgYsYwhUIq
> j6uj3EEkh3wEQn5zkzUXoagc31ulY6nP6PqCrebJ9xll4LMZK6XgnvtIOe1MPfP7
> 3oDEb7Df4STmqpb7wpzwEZh/poyyyv8NAU0X7w6Vx0nfJiUh2gyekf/96zMRi0uV
> iXdP6WxPYe/AI2SPtIHgzoBoNsr64d6TqXJ0rsVjTfbosJ8B0fmqqNP9xADp2F1Y
> O9PlghSMEgu2CcYkj7KZnBsEQO42Z3j4zWE+rvblHiP6HrJaT8yLgAn9zca5FeTl
> P6gzk77Tlds5Rg+A4j1uyHS5TZN5eIwl8kMijE+bnh0NZ5KopmtsgLazDWETbnlS
> jnJQnZcB5deaKrCHMk8E0khpsShzwClLOiv7tP/5/FuTQFQUS3ONuBZecjuJkp01
> mM4w9u2ZzBZqiymas/pWLid/Vz5aj0XjR6TMGyMV0pt2IEcCAwEAAaNTMFEwHQYD
> VR0OBBYEFDUa70THwyxwruuulyX2LV6fuYp5MB8GA1UdIwQYMBaAFDUa70THwyxw
> ruuulyX2LV6fuYp5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
> AMMM4fh7DCjYT3NB0lguQ7OI1tzw1u14+xXbR4HLIKdj8xpH2OEHYqx1r/kbvAYp
> K5cM108j+aDVm4sico/1BSHUCzXzBi9G8FpN2hego3BUejGtgWoWzqcZ+7r7RJvS
> soOUr5TzMBa52qjVIWu1+LYpqJbvxUGLlhBDQ0b9jF6ht9/nzHiDC9F2s03i5C0k
> w8Ju/K62ntGh1gxywM/0qdfZCuFPf9A8fnXw62YtoPFrek1ZowIOjr5xYROv2axg
> nWcv10QILUEBlWZsrGkMLRHE6FXDA1npF/1Xkfa60xYh6OD/jV7DQNSntmd2BZe6
> LC1rEGNGifvRSwusYoBh+3h+/VFwWHfz1F+uLDt7FEYHloXO/w8dig0SJvni5W4S
> iYBGvdRRSz2TJUQkIiJVAw0L7pwahp9JE1pX6a9UsbPRFulOA3OnKYc8Ox9spJfD
> 3JV5LHNQWqlNaDckCyeEj+tKxajyqKfHvkpXnaqCorHk6eURXxQwjHQ+ykbRqyPN
> KI2avlaNWWrdWKxUCjQ22Lq6fyLVEKL1r6XIQe6fhO9N02PurxT09uwVKS6BTnWB
> K8q3HhJIf/PKUBmscFJ2lEZc8sr9shFwPG1tEirdqhMhpSfYTavuYTLTBGdFG7nU
> 4cfu98/7ToBWv/d5v4fNTnjsJptUgzIsHHfusEUe8vgJ
> -----END CERTIFICATE-----

The key/cert was generated with:

openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/apache2/selfsigned.xython.fr.key -out /etc/ssl/apache2/selfsigned.xython.fr.crt -sha256 -days 3650 -nodes -subj "/C=FR/ST=France/L=Paris/O=xython/OU=tests/CN=selfsigned.xython.fr"

Another EDIT: If someone know from which project came this _ssl.c, it will permit to find what it see instead of the correct fqdn.

EDIT of 29/08/2023 Added output of openssl s_client openssl s_client -CAfile selfsigned.xython.fr.crt -servername selfsigned.xython.fr -connect selfsigned.xython.fr:443

CONNECTED(00000003)
depth=0 C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr
verify return:1
---
Certificate chain
 0 s:C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr
   i:C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFvTCCA6WgAwIBAgIUTcdrUj9qagSiyk6BK3e6fK2XCP4wDQYJKoZIhvcNAQEL
BQAwbjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFy
aXMxDzANBgNVBAoMBnh5dGhvbjEOMAwGA1UECwwFdGVzdHMxHTAbBgNVBAMMFHNl
bGZzaWduZWQueHl0aG9uLmZyMB4XDTIzMDgyODE2NTYwM1oXDTMzMDgyNTE2NTYw
M1owbjELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFUGFy
aXMxDzANBgNVBAoMBnh5dGhvbjEOMAwGA1UECwwFdGVzdHMxHTAbBgNVBAMMFHNl
bGZzaWduZWQueHl0aG9uLmZyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEA2AeA//LRrnkUoCLnMaZHqzur7vuaqbhJWgWoZGC/1GQhE+y6iQjfHg+KiI5c
Fo8/4avfV4gwaSC1u/GM7vSkjTabTkuy35D2rayyGtUT3Yr55aBlDA5HePWQLXwF
04Fpv8aocJvHqk7+QhNX69ls2WiN7IN+HxXoasVR8ko6JkNEpX+JjfDVbGe4kTOH
oeHOfQNLFiKSU/JMbeiC1+dR3UqdOvER0TpBShrpHuWqiHgKQATOPFtgYsYwhUIq
j6uj3EEkh3wEQn5zkzUXoagc31ulY6nP6PqCrebJ9xll4LMZK6XgnvtIOe1MPfP7
3oDEb7Df4STmqpb7wpzwEZh/poyyyv8NAU0X7w6Vx0nfJiUh2gyekf/96zMRi0uV
iXdP6WxPYe/AI2SPtIHgzoBoNsr64d6TqXJ0rsVjTfbosJ8B0fmqqNP9xADp2F1Y
O9PlghSMEgu2CcYkj7KZnBsEQO42Z3j4zWE+rvblHiP6HrJaT8yLgAn9zca5FeTl
P6gzk77Tlds5Rg+A4j1uyHS5TZN5eIwl8kMijE+bnh0NZ5KopmtsgLazDWETbnlS
jnJQnZcB5deaKrCHMk8E0khpsShzwClLOiv7tP/5/FuTQFQUS3ONuBZecjuJkp01
mM4w9u2ZzBZqiymas/pWLid/Vz5aj0XjR6TMGyMV0pt2IEcCAwEAAaNTMFEwHQYD
VR0OBBYEFDUa70THwyxwruuulyX2LV6fuYp5MB8GA1UdIwQYMBaAFDUa70THwyxw
ruuulyX2LV6fuYp5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
AMMM4fh7DCjYT3NB0lguQ7OI1tzw1u14+xXbR4HLIKdj8xpH2OEHYqx1r/kbvAYp
K5cM108j+aDVm4sico/1BSHUCzXzBi9G8FpN2hego3BUejGtgWoWzqcZ+7r7RJvS
soOUr5TzMBa52qjVIWu1+LYpqJbvxUGLlhBDQ0b9jF6ht9/nzHiDC9F2s03i5C0k
w8Ju/K62ntGh1gxywM/0qdfZCuFPf9A8fnXw62YtoPFrek1ZowIOjr5xYROv2axg
nWcv10QILUEBlWZsrGkMLRHE6FXDA1npF/1Xkfa60xYh6OD/jV7DQNSntmd2BZe6
LC1rEGNGifvRSwusYoBh+3h+/VFwWHfz1F+uLDt7FEYHloXO/w8dig0SJvni5W4S
iYBGvdRRSz2TJUQkIiJVAw0L7pwahp9JE1pX6a9UsbPRFulOA3OnKYc8Ox9spJfD
3JV5LHNQWqlNaDckCyeEj+tKxajyqKfHvkpXnaqCorHk6eURXxQwjHQ+ykbRqyPN
KI2avlaNWWrdWKxUCjQ22Lq6fyLVEKL1r6XIQe6fhO9N02PurxT09uwVKS6BTnWB
K8q3HhJIf/PKUBmscFJ2lEZc8sr9shFwPG1tEirdqhMhpSfYTavuYTLTBGdFG7nU
4cfu98/7ToBWv/d5v4fNTnjsJptUgzIsHHfusEUe8vgJ
-----END CERTIFICATE-----
subject=C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr

issuer=C = FR, ST = France, L = Paris, O = xython, OU = tests, CN = selfsigned.xython.fr

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2487 bytes and written 480 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 984E846F5C387BBAC464830BB8300C3811D121B6A5286C1128F2CFEFA85AA0C8
    Session-ID-ctx: 
    Master-Key: 463579A7EC740E96F12E156A97F24E6B16DBE9BC34D86740362EF7CFFC5F5D0AD4070FE535E661EAB6D55E18E0C0A01A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4a 63 b7 7e ac 2f d5 aa-5c 53 e2 0c a7 b7 56 4a   Jc.~./..\S....VJ
    0010 - 16 8e 1a ce 99 1a b4 19-42 e3 85 aa 37 10 3f 34   ........B...7.?4
    0020 - 07 2b 3c 80 97 89 1d 9e-8b 69 60 e6 7e d4 0d db   .+<......i`.~...
    0030 - f9 e1 40 57 d3 a2 e9 a6-28 6b e9 f8 d9 1c 47 aa   ..@W....(k....G.
    0040 - 3c ec 0a 05 97 d7 11 bd-65 fd 0c 8e 49 e2 4d 2b   <.......e...I.M+
    0050 - eb c9 49 e4 94 d4 b1 b4-f9 da 09 54 fc 3d 87 ca   ..I........T.=..
    0060 - 06 4d 36 e9 98 c7 95 90-0c 93 79 05 c1 65 b4 4e   .M6.......y..e.N
    0070 - 2c 78 38 6f 1f 72 84 5f-0d 3f 8b 9d dd 71 78 94   ,x8o.r._.?...qx.
    0080 - de c4 10 4f e2 a2 76 c1-e6 c5 7d 1b 1f 19 30 e6   ...O..v...}...0.
    0090 - 86 27 f6 32 c7 5a c8 23-ce ff 9a 91 f6 1f 1c a7   .'.2.Z.#........
    00a0 - 14 38 c9 50 3d 8b fb d9-e4 a1 01 4e bb 25 00 f0   .8.P=......N.%..
    00b0 - cf 85 71 6f 6e 6b 5a ef-43 4a 6d a0 b3 01 33 8a   ..qonkZ.CJm...3.
    00c0 - 1b 10 30 bb c5 3e 32 b3-84 d0 eb 18 e4 64 21 f2   ..0..>2......d!.
    00d0 - ad c3 ff 68 34 b6 76 87-66 22 3c 1e 5d c6 f6 a6   ...h4.v.f"<.]...

    Start Time: 1693286774
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

ALSO The issue is not in python-requests since I reproduce it with urllib3

import urllib3 from urllib3.connectionpool import HTTPSConnectionPool conn = HTTPSConnectionPool('selfsigned.xython.fr', ca_certs='./selfsigned.xython.fr.crt', cert_reqs='REQUIRED') r = conn.request('GET', 'https://selfsigned.xython.fr')

> HTTPSConnectionPool(host='selfsigned.xython.fr', port=None) Traceback
> (most recent call last):   File
> "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 467, in _make_request
>     self._validate_conn(conn)   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 1092, in _validate_conn
>     conn.connect()   File "/usr/lib/python3.11/site-packages/urllib3/connection.py", line 642,
> in connect
>     sock_and_verified = _ssl_wrap_socket_and_match_hostname(
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connection.py", line 783,
> in _ssl_wrap_socket_and_match_hostname
>     ssl_sock = ssl_wrap_socket(
>                ^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 469, in
> ssl_wrap_socket
>     ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  
> File "/usr/lib/python3.11/site-packages/urllib3/util/ssl_.py", line
> 513, in _ssl_wrap_socket_impl
>     return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File
> "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
>     return self.sslsocket_class._create(
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/ssl.py", line 1108, in _create
>     self.do_handshake()   File "/usr/lib/python3.11/ssl.py", line 1379, in do_handshake
>     self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
> mismatch, certificate is not valid for 'selfsigned.xython.fr'.
> (_ssl.c:1010)
> 
> During handling of the above exception, another exception occurred:
> 
> Traceback (most recent call last):   File
> "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 790, in urlopen
>     response = self._make_request(
>                ^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 491, in _make_request
>     raise new_e urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname
> mismatch, certificate is not valid for 'selfsigned.xython.fr'.
> (_ssl.c:1010)
> 
> The above exception was the direct cause of the following exception:
> 
> Traceback (most recent call last):   File
> "/home/cpp/xython/./testr.py", line 32, in <module>
>     r = conn.request('GET', 'https://selfsigned.xython.fr')
>         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/_request_methods.py", line
> 110, in request
>     return self.request_encode_url(
>            ^^^^^^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/_request_methods.py", line
> 143, in request_encode_url
>     return self.urlopen(method, url, **extra_kw)
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 874, in urlopen
>     return self.urlopen(
>            ^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 874, in urlopen
>     return self.urlopen(
>            ^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 874, in urlopen
>     return self.urlopen(
>            ^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/connectionpool.py", line
> 844, in urlopen
>     retries = retries.increment(
>               ^^^^^^^^^^^^^^^^^^   File "/usr/lib/python3.11/site-packages/urllib3/util/retry.py", line 515,
> in increment
>     raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ urllib3.exceptions.MaxRetryError:
> HTTPSConnectionPool(host='selfsigned.xython.fr', port=None): Max
> retries exceeded with url: https://selfsigned.xython.fr (Caused by
> SSLError(SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED]
> certificate verify failed: Hostname mismatch, certificate is not valid
> for 'selfsigned.xython.fr'. (_ssl.c:1010)")))
Improve this question
7
  • This question would benefit from a minimal reproducible example. If you can update your question to show us the actual fqdn you're using in your request along with the output of openssl x509 -in pathtomycat.crt -noout -text we can probably help you out. Otherwise we're just guessing. Commented Aug 28, 2023 at 15:11
  • If you skip the verify=verify parameter, does it fly? Commented Aug 28, 2023 at 17:49
  • If I remove verify=verify I got: HTTPSConnectionPool(host='selfsigned.xython.fr', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1010)'))) Commented Aug 28, 2023 at 20:29
  • You have many questions in here. The root is that this isn't an issue with requests. If you used just Python's standard socket module with ssl, you would get the same error. Your certificate does not specify a subjectAlternativeName (SAN) and that may help you, but you also need to provide the output of your openssl s_client -connect call because I suspect you're not reading that output correctly Commented Aug 28, 2023 at 21:30
  • Thanks, nowI have added openssl s_client output Commented Aug 29, 2023 at 9:16

1 Answer 1

Reset to default
1

It was kind of surprising for me, but the reason was that CName in certificate isn't enough for Python to verify my server's cert as valid. I also needed to have an alternative name (SAN) added when creating a cert for that server. Afterwards clients were able to use my server.

openssl req -newkey rsa:4096 -x509 -sha256 -nodes -out my.crt -keyout my.key -addext "subjectAltName=DNS:myhostname.fqdn" -subj "/O=mycompany/CN=myhostname.fqdn"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.