self signed certificate in certificate chain ?
See original GitHub issueThis might not be really an issue, but I don’t know whethere the problem is and how I can get around it…
I am testing the O365 from my Mac laptop, I set up a virtual python, Python 3.7.4 I have the following code:
`#!/usr/bin/env python
from O365 import Account import requests import ssl
credentials = (‘some_client_id’, ‘some_secret’)
cafile=requests.certs.where() print(cafile)
account = Account(credentials,auth_flow_type=‘credentials’, tenant_id=‘some_tenent_id’) if account.authenticate(): print(‘Authenticated!’)`
when I run it, it gives the following message:
/Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem Unable to fetch auth token. Error: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /050b6c67-a550-4315-9cb2-1ac8b84a3418/oauth2/v2.0/token (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)’)))
On the machine, I tried to get the whole certificate chain by running the following command:
openssl s_client -showcerts -connect login.microsoftonline.com:443
It gives the following result:
CONNECTED(00000006) depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 2 verify return:1 depth=0 CN = graph.windows.net verify return:1
Certificate chain 0 s:/CN=graph.windows.net i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2 -----BEGIN CERTIFICATE----- MIIOrzCCDJegAwIBAgITHAASWu1Z0VfoCNWtowAAABJa7TANBgkqhkiG9w0BAQsF ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw HhcNMjAwMjIwMTk1OTU3WhcNMjIwMjIwMTk1OTU3WjAcMRowGAYDVQQDExFncmFw aC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyZ kLwwRIXX4HEVCBxpYs8y8SwyL+Ju94bG9XtahWpbCgBhkmSTrJyiEMwUlZybDyJa ZVxILo8CB7XXfoH+a9AeEEAvXB0VxG6thbphupvnNFEDxWBxBrGSLhB8zZn5gmrT 2tsDyC29MUK86mwKF2p2LLRDXsh2eKB7Z2USDEik8xZRNffR8KTo21tTKJJSw23Z dGwEAdUJxJn7gsc6nCflIb6YFtPHA0UT0pfIbhd38fnI3hJN3A4ctZoD7Kf/7Oc2 jQZrzMfSLVV5SB7U2mrZIvovP7puV/RXrWAALLRuCvPe3JwscgC3JM9VbnmWK32/ vrfLe8pNABCeSyNlnBECAwEAAaOCCngwggp0MIIBfgYKKwYBBAHWeQIEAgSCAW4E ggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAXBkOLMv AAAEAwBHMEUCIGHrbiJ8s5GKw3tNoxK6/IW07yvdscawYdOnm6Yy7WlYAiEA+A59 Bw8wmfTLno618zprxhPnqCJOqcd52qKPL1z2FEEAdgBVgdTCFpA2AUrqC5tXPFPw wOQ4eHAlCBcvo6odBxPTDAAAAXBkOLMbAAAEAwBHMEUCICsQYMccglLMgqiblxkK TozxkOKO4aJspT3tAVeclHJQAiEArMo4+44T73wcnZsEekWiIzIzQPYskjt1yzTH QcuQKnIAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXBkOLRx AAAEAwBHMEUCIAlW7ycgMnEFrnLpamjNBo/GlhLc3qhVfwI0eoqFj+cJAiEAxSlx /DdDm7IxawHhG+3vtY+pw9S8ODbcj+lbUXLi9TswJwYJKwYBBAGCNxUKBBowGDAK BggrBgEFBQcDAjAKBggrBgEFBQcDATA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3 FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLfQoLnk3oCAWQCAR0wgYUGCCsGAQUF BwEBBHkwdzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br aS9tc2NvcnAvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3J0MCIGCCsG AQUFBzABhhZodHRwOi8vb2NzcC5tc29jc3AuY29tMB0GA1UdDgQWBBTm1OCIgDa3 AFxFqukwXwuvlVSKUzALBgNVHQ8EBAMCBLAwggaTBgNVHREEggaKMIIGhoIbKi5h Y2Nlc3Njb250cm9sLndpbmRvd3MubmV0gh8qLmFjY2Vzc2NvbnRyb2wud2luZG93 cy1wcGUubmV0gg4qLmIyY2xvZ2luLmNvbYISKi5jcGltLndpbmRvd3MubmV0ghgq Lm1pY3Jvc29mdGFpay5henVyZS5uZXSCICoubWljcm9zb2Z0YWlrLWludC5henVy ZS1pbnQubmV0ghEqLndpbmRvd3MtcHBlLm5ldIIQYWFkZy53aW5kb3dzLm5ldIIW YWFkZ3Y2LnBwZS53aW5kb3dzLm5ldIISYWFkZ3Y2LndpbmRvd3MubmV0ghBhY2Nv dW50LmxpdmUuY29tghRhY2NvdW50LmxpdmUtaW50LmNvbYIXYXBpLnBhc3N3b3Jk LmNjc2N0cC5jb22CJWFwaS5wYXNzd29yZHJlc2V0Lm1pY3Jvc29mdG9ubGluZS5j b22CImF1dG9sb2dvbi5taWNyb3NvZnRhenVyZWFkLXNzby5jb22CEGJlY3dzLmNj c2N0cC5jb22CImNsaWVudGNvbmZpZy5taWNyb3NvZnRvbmxpbmUtcC5uZXSCJmNs aWVudGNvbmZpZy5taWNyb3NvZnRvbmxpbmUtcC1pbnQubmV0ghljb21wYW55bWFu YWdlci5jY3NjdHAuY29tgiJjb21wYW55bWFuYWdlci5taWNyb3NvZnRvbmxpbmUu Y29tghBjcGltLndpbmRvd3MubmV0giBkZXZpY2UubG9naW4ubWljcm9zb2Z0b25s aW5lLmNvbYIcZGV2aWNlLmxvZ2luLndpbmRvd3MtcHBlLm5ldIIeZGlyZWN0b3J5 cHJveHkucHBlLndpbmRvd3MubmV0ghpkaXJlY3Rvcnlwcm94eS53aW5kb3dzLm5l dIIVZ3JhcGgucHBlLndpbmRvd3MubmV0ghFncmFwaC53aW5kb3dzLm5ldIIWZ3Jh cGhzdG9yZS53aW5kb3dzLm5ldIIObG9naW4ubGl2ZS5jb22CEmxvZ2luLmxpdmUt aW50LmNvbYITbG9naW4ubWljcm9zb2Z0LmNvbYIZbG9naW4ubWljcm9zb2Z0b25s aW5lLmNvbYIbbG9naW4ubWljcm9zb2Z0b25saW5lLXAuY29tgh1sb2dpbi5taWNy b3NvZnRvbmxpbmUtcHN0LmNvbYIXbG9naW4ubWljcm9zb2Z0LXBwZS5jb22CEWxv Z2luLndpbmRvd3MubmV0gh1sb2dpbmNlcnQubWljcm9zb2Z0b25saW5lLmNvbYIh bG9naW5jZXJ0Lm1pY3Jvc29mdG9ubGluZS1pbnQuY29tghxsb2dpbi11cy5taWNy b3NvZnRvbmxpbmUuY29tghZtaWNyb3NvZnRhaWsuYXp1cmUubmV0gh5taWNyb3Nv ZnRhaWstaW50LmF6dXJlLWludC5uZXSCG25leHVzLm1pY3Jvc29mdG9ubGluZS1w LmNvbYIfbmV4dXMubWljcm9zb2Z0b25saW5lLXAtaW50LmNvbYIPcGFzLndpbmRv d3MubmV0ghNwYXMud2luZG93cy1wcGUubmV0ghNwYXNzd29yZC5jY3NjdHAuY29t gi1wYXNzd29yZHJlc2V0LmFjdGl2ZWRpcmVjdG9yeS53aW5kb3dzYXp1cmUudXOC IXBhc3N3b3JkcmVzZXQubWljcm9zb2Z0b25saW5lLmNvbYIgcHJvdmlzaW9uaW5n Lm1pY3Jvc29mdG9ubGluZS5jb22CD3NpZ251cC5saXZlLmNvbYITc2lnbnVwLmxp dmUtaW50LmNvbYIPc3RzLndpbmRvd3MubmV0ghJ4bWwubG9naW4ubGl2ZS5jb22C FnhtbC5sb2dpbi5saXZlLWludC5jb22CGyoubG9naW4ubWljcm9zb2Z0b25saW5l LmNvbYIdbG9naW4ubWljcm9zb2Z0b25saW5lLWludC5jb22CJWFjY2Vzc2NvbnRy b2wuYWFkdHN0My53aW5kb3dzLWludC5uZXSCJyouYWNjZXNzY29udHJvbC5hYWR0 c3QzLndpbmRvd3MtaW50Lm5ldIIdYXBpLmxvZ2luLm1pY3Jvc29mdG9ubGluZS5j b22CHSouci5sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tghcqLnIubG9naW4ubWlj cm9zb2Z0LmNvbYIVKi5sb2dpbi5taWNyb3NvZnQuY29tMIGsBgNVHR8EgaQwgaEw gZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAv Y3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjAyLmNybIZJaHR0cDovL2Ny bC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIw VExTJTIwQ0ElMjAyLmNybDBNBgNVHSAERjBEMEIGCSsGAQQBgjcqATA1MDMGCCsG AQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcHMw HwYDVR0jBBgwFoAUkZ47RGw9V5xCdyo010/RzEqXLNowHQYDVR0lBBYwFAYIKwYB BQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAq/p89icn3p3IHqyaI kkkTsBTT8j0qZZZYApotXEmtEVlZV5WSCmbtaMjCV3wxpewQDlNggaTfDltBml7e N4W4GoYzA0ftSUs2qZfDA+N/DyyCoX+yy0hWLyDM3LMev1xeLIir1X2HK6k1kXKg piO+B9CbanOoHl5SomZ1QqYriWHpL6RhSGk1ucbpt4Sg4D+0HDsmXrY4PEjbMgiV bZ8K0vJCM21dGhusSBGnoirGDXCoOk9K9NjpYRjodBQAyk8PiAy2kttDUbYqRnBJ OAcdEI9der9BPQUvQnuXaCRMvh8U5+Et46jphFd6mBVC3iaX2uFThnvJLhE8ACx+ 8epXNIhQ/kxUZMe7LzN5fWzCiQPGo9ek2kubtrXWahiktx96gUxe6BwvyR/Dc3Gj 3AYOOPe0HzIRRhzlQvJFvO0i75LUdsgRz+qU6kvYjXKhBq0Obp6xVeRviAbk/cG5 37kB2ClkCm3viSt3w47KfX7K1a+6/C3vtEFMbAkr5vIPhBI//f9r5WYTlpxGVVhb ci/RJcVE9nQeNobOylwAreOEEqGfZo8hM1u1KIfLqW6dcNLr4LVr1a0MbwzU1vGP snayWT9+JfLdXl37JHVGt7vESSI+xYJJZd1CsGmckL3M8cAKZVTd1bnhI+YByxT/ io4V1Pjs0ZU1nAxqHQV/4nWm6w== -----END CERTIFICATE----- 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root -----BEGIN CERTIFICATE----- MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2 MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt 3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92 sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8 VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0 LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV 2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0 NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL e0t+fCut38NMkTl8F0arflspaqUVVUov -----END CERTIFICATE-----
Server certificate subject=/CN=graph.windows.net issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2
No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 5714 bytes and written 326 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: CB4C0000E5BACDDD72DE038007C26CF04589D848F61F5C462A5E8CA41021EAE1 Session-ID-ctx: Master-Key: 00107B6008200AFF6BF2DEEE9BE15DCD37A69BE9E3AC42088CB893A900F26966EC7BD654A78F3FAED3C0A12DD74AE717 Start Time: 1582838937 Timeout : 7200 (sec) Verify return code: 0 (ok)
I checked the /Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem, it doesn’t have the cert for “CN=Baltimore CyberTrust Root”. I downloaded this CA and added this cert into /Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem, but still get the same error.
I don’t know what else I missed. Can someone help me what goes wrong with my testing?
Thanks.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (1 by maintainers)
Top GitHub Comments
For anyone else experiencing this I found a work around. The issue was with my work proxy/firewall cert chain. On my mac I did the following steps:
openssl s_client -connect login.microsoftonline.com:443 -showcerts
echo 'the-copied-cert
>> /your_local_cert_pathNow rerun your python file. Hopefully that helps!
Thanks @dderooy, this worked for me. My company had installed ‘snooping’ software to snoop https trafic with a man in the middle style attack which resulted in microsoft flavoured certs in the cert chain.