Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

self signed certificate in certificate chain ?

See original GitHub issue

This might not be really an issue, but I don’t know whethere the problem is and how I can get around it…

I am testing the O365 from my Mac laptop, I set up a virtual python, Python 3.7.4 I have the following code:

`#!/usr/bin/env python

from O365 import Account import requests import ssl

credentials = (‘some_client_id’, ‘some_secret’)

cafile=requests.certs.where() print(cafile)

account = Account(credentials,auth_flow_type=‘credentials’, tenant_id=‘some_tenent_id’) if account.authenticate(): print(‘Authenticated!’)`

when I run it, it gives the following message:

/Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem Unable to fetch auth token. Error: HTTPSConnectionPool(host=‘login.microsoftonline.com’, port=443): Max retries exceeded with url: /050b6c67-a550-4315-9cb2-1ac8b84a3418/oauth2/v2.0/token (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)’)))

On the machine, I tried to get the whole certificate chain by running the following command: openssl s_client -showcerts -connect login.microsoftonline.com:443

It gives the following result:

CONNECTED(00000006) depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 2 verify return:1 depth=0 CN = graph.windows.net verify return:1

Certificate chain 0 s:/CN=graph.windows.net i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2 -----BEGIN CERTIFICATE----- MIIOrzCCDJegAwIBAgITHAASWu1Z0VfoCNWtowAAABJa7TANBgkqhkiG9w0BAQsF ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDIw HhcNMjAwMjIwMTk1OTU3WhcNMjIwMjIwMTk1OTU3WjAcMRowGAYDVQQDExFncmFw aC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyZ kLwwRIXX4HEVCBxpYs8y8SwyL+Ju94bG9XtahWpbCgBhkmSTrJyiEMwUlZybDyJa ZVxILo8CB7XXfoH+a9AeEEAvXB0VxG6thbphupvnNFEDxWBxBrGSLhB8zZn5gmrT 2tsDyC29MUK86mwKF2p2LLRDXsh2eKB7Z2USDEik8xZRNffR8KTo21tTKJJSw23Z dGwEAdUJxJn7gsc6nCflIb6YFtPHA0UT0pfIbhd38fnI3hJN3A4ctZoD7Kf/7Oc2 jQZrzMfSLVV5SB7U2mrZIvovP7puV/RXrWAALLRuCvPe3JwscgC3JM9VbnmWK32/ vrfLe8pNABCeSyNlnBECAwEAAaOCCngwggp0MIIBfgYKKwYBBAHWeQIEAgSCAW4E ggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAXBkOLMv AAAEAwBHMEUCIGHrbiJ8s5GKw3tNoxK6/IW07yvdscawYdOnm6Yy7WlYAiEA+A59 Bw8wmfTLno618zprxhPnqCJOqcd52qKPL1z2FEEAdgBVgdTCFpA2AUrqC5tXPFPw wOQ4eHAlCBcvo6odBxPTDAAAAXBkOLMbAAAEAwBHMEUCICsQYMccglLMgqiblxkK TozxkOKO4aJspT3tAVeclHJQAiEArMo4+44T73wcnZsEekWiIzIzQPYskjt1yzTH QcuQKnIAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXBkOLRx AAAEAwBHMEUCIAlW7ycgMnEFrnLpamjNBo/GlhLc3qhVfwI0eoqFj+cJAiEAxSlx /DdDm7IxawHhG+3vtY+pw9S8ODbcj+lbUXLi9TswJwYJKwYBBAGCNxUKBBowGDAK BggrBgEFBQcDAjAKBggrBgEFBQcDATA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3 FQiH2oZ1g+7ZAYLJhRuBtZ5hhfTrYIFdhNLfQoLnk3oCAWQCAR0wgYUGCCsGAQUF BwEBBHkwdzBRBggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br aS9tc2NvcnAvTWljcm9zb2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDIuY3J0MCIGCCsG AQUFBzABhhZodHRwOi8vb2NzcC5tc29jc3AuY29tMB0GA1UdDgQWBBTm1OCIgDa3 AFxFqukwXwuvlVSKUzALBgNVHQ8EBAMCBLAwggaTBgNVHREEggaKMIIGhoIbKi5h Y2Nlc3Njb250cm9sLndpbmRvd3MubmV0gh8qLmFjY2Vzc2NvbnRyb2wud2luZG93 cy1wcGUubmV0gg4qLmIyY2xvZ2luLmNvbYISKi5jcGltLndpbmRvd3MubmV0ghgq Lm1pY3Jvc29mdGFpay5henVyZS5uZXSCICoubWljcm9zb2Z0YWlrLWludC5henVy ZS1pbnQubmV0ghEqLndpbmRvd3MtcHBlLm5ldIIQYWFkZy53aW5kb3dzLm5ldIIW YWFkZ3Y2LnBwZS53aW5kb3dzLm5ldIISYWFkZ3Y2LndpbmRvd3MubmV0ghBhY2Nv dW50LmxpdmUuY29tghRhY2NvdW50LmxpdmUtaW50LmNvbYIXYXBpLnBhc3N3b3Jk LmNjc2N0cC5jb22CJWFwaS5wYXNzd29yZHJlc2V0Lm1pY3Jvc29mdG9ubGluZS5j b22CImF1dG9sb2dvbi5taWNyb3NvZnRhenVyZWFkLXNzby5jb22CEGJlY3dzLmNj c2N0cC5jb22CImNsaWVudGNvbmZpZy5taWNyb3NvZnRvbmxpbmUtcC5uZXSCJmNs aWVudGNvbmZpZy5taWNyb3NvZnRvbmxpbmUtcC1pbnQubmV0ghljb21wYW55bWFu YWdlci5jY3NjdHAuY29tgiJjb21wYW55bWFuYWdlci5taWNyb3NvZnRvbmxpbmUu Y29tghBjcGltLndpbmRvd3MubmV0giBkZXZpY2UubG9naW4ubWljcm9zb2Z0b25s aW5lLmNvbYIcZGV2aWNlLmxvZ2luLndpbmRvd3MtcHBlLm5ldIIeZGlyZWN0b3J5 cHJveHkucHBlLndpbmRvd3MubmV0ghpkaXJlY3Rvcnlwcm94eS53aW5kb3dzLm5l dIIVZ3JhcGgucHBlLndpbmRvd3MubmV0ghFncmFwaC53aW5kb3dzLm5ldIIWZ3Jh cGhzdG9yZS53aW5kb3dzLm5ldIIObG9naW4ubGl2ZS5jb22CEmxvZ2luLmxpdmUt aW50LmNvbYITbG9naW4ubWljcm9zb2Z0LmNvbYIZbG9naW4ubWljcm9zb2Z0b25s aW5lLmNvbYIbbG9naW4ubWljcm9zb2Z0b25saW5lLXAuY29tgh1sb2dpbi5taWNy b3NvZnRvbmxpbmUtcHN0LmNvbYIXbG9naW4ubWljcm9zb2Z0LXBwZS5jb22CEWxv Z2luLndpbmRvd3MubmV0gh1sb2dpbmNlcnQubWljcm9zb2Z0b25saW5lLmNvbYIh bG9naW5jZXJ0Lm1pY3Jvc29mdG9ubGluZS1pbnQuY29tghxsb2dpbi11cy5taWNy b3NvZnRvbmxpbmUuY29tghZtaWNyb3NvZnRhaWsuYXp1cmUubmV0gh5taWNyb3Nv ZnRhaWstaW50LmF6dXJlLWludC5uZXSCG25leHVzLm1pY3Jvc29mdG9ubGluZS1w LmNvbYIfbmV4dXMubWljcm9zb2Z0b25saW5lLXAtaW50LmNvbYIPcGFzLndpbmRv d3MubmV0ghNwYXMud2luZG93cy1wcGUubmV0ghNwYXNzd29yZC5jY3NjdHAuY29t gi1wYXNzd29yZHJlc2V0LmFjdGl2ZWRpcmVjdG9yeS53aW5kb3dzYXp1cmUudXOC IXBhc3N3b3JkcmVzZXQubWljcm9zb2Z0b25saW5lLmNvbYIgcHJvdmlzaW9uaW5n Lm1pY3Jvc29mdG9ubGluZS5jb22CD3NpZ251cC5saXZlLmNvbYITc2lnbnVwLmxp dmUtaW50LmNvbYIPc3RzLndpbmRvd3MubmV0ghJ4bWwubG9naW4ubGl2ZS5jb22C FnhtbC5sb2dpbi5saXZlLWludC5jb22CGyoubG9naW4ubWljcm9zb2Z0b25saW5l LmNvbYIdbG9naW4ubWljcm9zb2Z0b25saW5lLWludC5jb22CJWFjY2Vzc2NvbnRy b2wuYWFkdHN0My53aW5kb3dzLWludC5uZXSCJyouYWNjZXNzY29udHJvbC5hYWR0 c3QzLndpbmRvd3MtaW50Lm5ldIIdYXBpLmxvZ2luLm1pY3Jvc29mdG9ubGluZS5j b22CHSouci5sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tghcqLnIubG9naW4ubWlj cm9zb2Z0LmNvbYIVKi5sb2dpbi5taWNyb3NvZnQuY29tMIGsBgNVHR8EgaQwgaEw gZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAv Y3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjAyLmNybIZJaHR0cDovL2Ny bC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIw VExTJTIwQ0ElMjAyLmNybDBNBgNVHSAERjBEMEIGCSsGAQQBgjcqATA1MDMGCCsG AQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcHMw HwYDVR0jBBgwFoAUkZ47RGw9V5xCdyo010/RzEqXLNowHQYDVR0lBBYwFAYIKwYB BQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQAq/p89icn3p3IHqyaI kkkTsBTT8j0qZZZYApotXEmtEVlZV5WSCmbtaMjCV3wxpewQDlNggaTfDltBml7e N4W4GoYzA0ftSUs2qZfDA+N/DyyCoX+yy0hWLyDM3LMev1xeLIir1X2HK6k1kXKg piO+B9CbanOoHl5SomZ1QqYriWHpL6RhSGk1ucbpt4Sg4D+0HDsmXrY4PEjbMgiV bZ8K0vJCM21dGhusSBGnoirGDXCoOk9K9NjpYRjodBQAyk8PiAy2kttDUbYqRnBJ OAcdEI9der9BPQUvQnuXaCRMvh8U5+Et46jphFd6mBVC3iaX2uFThnvJLhE8ACx+ 8epXNIhQ/kxUZMe7LzN5fWzCiQPGo9ek2kubtrXWahiktx96gUxe6BwvyR/Dc3Gj 3AYOOPe0HzIRRhzlQvJFvO0i75LUdsgRz+qU6kvYjXKhBq0Obp6xVeRviAbk/cG5 37kB2ClkCm3viSt3w47KfX7K1a+6/C3vtEFMbAkr5vIPhBI//f9r5WYTlpxGVVhb ci/RJcVE9nQeNobOylwAreOEEqGfZo8hM1u1KIfLqW6dcNLr4LVr1a0MbwzU1vGP snayWT9+JfLdXl37JHVGt7vESSI+xYJJZd1CsGmckL3M8cAKZVTd1bnhI+YByxT/ io4V1Pjs0ZU1nAxqHQV/4nWm6w== -----END CERTIFICATE----- 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root -----BEGIN CERTIFICATE----- MIIFtDCCBJygAwIBAgIQDywQyVsGwJN/uNRJ+D6FaTANBgkqhkiG9w0BAQsFADBa MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2 MDUyMDEyNTE1N1oXDTI0MDUyMDEyNTE1N1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAnqoVwRuhY1/mURjFFrsR3AtNm5EKukBJK9zWBgvFd1ksNEJFC06o yRbwKPMflpW/HtOfzIeBliGk57MwZq18bgASr70sPUWuoD917HUgBfxBYoF8zA7Z Ie5zAHODFboJL7Fg/apgbQs/GiZZNCi0QkQUWzw0nTUmVSNQ0mz6pCu95Dv1WMsL GyPGfdN9zD3Q/QEDyJ695QgjRIxYA1DUE+54ti2k6r0ycKFQYkyWwZ25HD1h2kYt 3ovW85vF6y7tjTqUEcLbgKUCB81/955hdLLsbFd6f9o2PkU8xuOc3U+bUedvv6Sb tvGjBEZeFyH8/CaQhzlsKMH0+OPOFv/bMqcLarPw1V1sOV1bl4W9vi2278niblzI bEHt7nN888p4KNIwqCcXaGhbtS4tjn3NKI6v1d2XRyxIvCJDjgoZ09zF39Pyoe92 sSRikZh7xns4tQEQ8BCs4o5NBSx8UxEsgyzNSskWGEWqsIjt+7+A1skDDZv6k2o8 VCHNbTLFKS7d72wMI4ErpzVsBIicxaG2ezuMBBuqThxIiJ+G9zfoP9lxim/9rvJA xbh3nujA1VJfkOYTJIojEAYCxR3QjEoGdapJmBle97AfqEBnwoJsu2wav8h9v+po DL4h6dRzRUxY1DHypcFlXGoHu/REQgFLq2IN30/AhQLN90Pj9TT2RQECAwEAAaOC AUIwggE+MB0GA1UdDgQWBBSRnjtEbD1XnEJ3KjTXT9HMSpcs2jAfBgNVHSMEGDAW gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0 LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB CwUAA4IBAQBsf+pqb89rW8E0rP/cDuB9ixMX4C9OWQ7EA7n0BSllR64ZmuhU9mTV 2L0G4HEiGXvOmt15i99wJ0ho2/dvMxm1ZeufkAfMuEc5fQ9RE5ENgNR2UCuFB2Bt bVmaKUAWxscN4GpXS4AJv+/HS0VXs5Su19J0DA8Bg+lo8ekCl4dq2G1m1WsCvFBI oLIjd4neCLlGoxT2jA43lj2JpQ/SMkLkLy9DXj/JHdsqJDR5ogcij4VIX8V+bVD0 NCw7kQa6Ulq9Zo0jDEq1at4zSeH4mV2PMM3LwIXBA2xo5sda1cnUWJo3Pq4uMgcL e0t+fCut38NMkTl8F0arflspaqUVVUov -----END CERTIFICATE-----

Server certificate subject=/CN=graph.windows.net issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 2

No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5714 bytes and written 326 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: CB4C0000E5BACDDD72DE038007C26CF04589D848F61F5C462A5E8CA41021EAE1 Session-ID-ctx: Master-Key: 00107B6008200AFF6BF2DEEE9BE15DCD37A69BE9E3AC42088CB893A900F26966EC7BD654A78F3FAED3C0A12DD74AE717 Start Time: 1582838937 Timeout : 7200 (sec) Verify return code: 0 (ok)

I checked the /Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem, it doesn’t have the cert for “CN=Baltimore CyberTrust Root”. I downloaded this CA and added this cert into /Users/user01/myvirtualpython3/lib/python3.7/site-packages/certifi/cacert.pem, but still get the same error.

I don’t know what else I missed. Can someone help me what goes wrong with my testing?

Thanks.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (1 by maintainers)

github_iconTop GitHub Comments

3reactions
dderooycommented, Jul 22, 2020

For anyone else experiencing this I found a work around. The issue was with my work proxy/firewall cert chain. On my mac I did the following steps:

  • CLI: openssl s_client -connect login.microsoftonline.com:443 -showcerts
  • copy missing certificate in chain from there (for me it was the last one for our proxy server)
  • now find your local cert file path with cafile = requests.certs.where() & print(cafile) in your python file.
  • paste the certificate to the end of the file
  • CLI echo 'the-copied-cert >> /your_local_cert_path

Now rerun your python file. Hopefully that helps!

0reactions
JavascriptMickcommented, Jun 6, 2022

For anyone else experiencing this I found a work around. The issue was with my work proxy/firewall cert chain. On my mac I did the following steps:

  • CLI: openssl s_client -connect login.microsoftonline.com:443 -showcerts
  • copy missing certificate in chain from there (for me it was the last one for our proxy server)
  • now find your local cert file path with cafile = requests.certs.where() & print(cafile) in your python file.
  • paste the certificate to the end of the file
  • CLI echo 'the-copied-cert >> /your_local_cert_path

Now rerun your python file. Hopefully that helps!

Thanks @dderooy, this worked for me. My company had installed ‘snooping’ software to snoop https trafic with a man in the middle style attack which resulted in microsoft flavoured certs in the cert chain.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Openssl : error "self signed certificate in certificate chain"
You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good ...
Read more >
What is a Self-Signed Certificate? Advantages, Risks ...
Another strategy is to issue self-signed SSL certificates. A self-signed certificate is one that is not signed by a CA at all –...
Read more >
Generating a self-signed Certificate Chain Using openssl
To build a self-signed certificate chain, begin by creating a certificate configuration file like this: [ req ] default_bits = 4096 default_keyfile ...
Read more >
6 Ways to fix : SSL certificate problem: self signed ... - Jhooq
Scenario 1 : Git clone - SSL certificate problem: self signed certificate in certificate chain ... It is one of the most common...
Read more >
Understanding Self-Signed Certificate in Chain Issues on ...
It means that the certificate attached to the package is a way to be sure that the package was not modified from the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to upload a file into a SharePoint?

Next page

Error Message: Resource not found for the segment 'sendMail'