[Python] CA Validation Error Through Python Script But Same CA Works With Curl

Below is the curl command I’m using to retrieve Jira ticket information. This command is successful.

tesuser@tessys:~/.certs/jira-keys$ curl -v -X GET -H "Accept: application/json" --cert jira-svc.crt --key jira-svc.key --cacert comp_ca_list.pem https://jira-api.comp.com/jira/rest/api/2/issue/Test-1
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying XXXXXXXXX:443...
* TCP_NODELAY set
* Connected to jira-api.comp.com (XXXXXXXXX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: comp_ca_list.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):


I'm trying to run the Jira API using a Python script with the same certificate, key, and CA bundle. However, I'm encountering an error when CA verification is enabled, while it works fine when CA verification is disabled.

Below is my python script

import requests, json

class JiraHandler:
def __init__(self, user_cert, user_key, ca_bundle):
self.api_session = requests.session()
self.api_session.cert = (user_cert, user_key)
self.api_session.verify = ca_bundle
self.api_session.headers.update({"Content-Type": "application/json"})
self.api_url = "https://jira-api.comp.com/jira/rest/api/2/issue/Test-1"

def set_assignee(self):
endpoint = self.api_url
rsp = self.api_session.get(endpoint)
if rsp.status_code == 200:
return True, rsp
else:
return False, rsp

Cert = "/home/tesuser/.certs/jira-keys/jira-svc.crt"
Key = "/home/tesuser/.certs/jira-keys/jira-svc.key"
CA = "/home/tesuser/.certs/jira-keys/comp_ca_list.pem"

def get_jira_handler():
jira = JiraHandler(user_cert=Cert, user_key=Key, ca_bundle=CA)
return jira

jira_handler = get_jira_handler()
print(jira_handler.set_assignee())


With CA Verification Enabled below is my error

Traceback (most recent call last):
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 466, in _make_request
self._validate_conn(conn)
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1095, in _validate_conn
conn.connect()
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connection.py", line 730, in connect
sock_and_verified = _ssl_wrap_socket_and_match_hostname(
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
ssl_sock = ssl_wrap_socket(
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/lib/python3.9/ssl.py", line 501, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.9/ssl.py", line 1041, in _create
self.do_handshake()
File "/usr/local/lib/python3.9/ssl.py", line 1310, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 789, in urlopen
response = self._make_request(
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 490, in _make_request
raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/home/tesuser/.local/lib/python3.9/site-packages/requests/adapters.py", line 667, in send
resp = conn.urlopen(
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/connectionpool.py", line 843, in urlopen
retries = retries.increment(
File "/home/tesuser/.local/lib/python3.9/site-packages/urllib3/util/retry.py", line 519, in increment
raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type]
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='jira-api.comp.com', port=443): Max retries exceeded with url: /jira/rest/api/2/issue/Test-1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/tesuser/.certs/jira-keys/new-jira.py", line 28, in <module>
print(jira_handler.set_assignee())
File "/home/tesuser/.certs/jira-keys/new-jira.py", line 13, in set_assignee
rsp = self.api_session.get(endpoint)
File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 602, in get
return self.request("GET", url, **kwargs)
File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/home/tesuser/.local/lib/python3.9/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/home/tesuser/.local/lib/python3.9/site-packages/requests/adapters.py", line 698, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='jira-api.comp.com', port=443): Max retries exceeded with url: /jira/rest/api/2/issue/Test-1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))


In same script when i disable CA verification like below it works without any issue.

self.api_session.verify = False

Continue reading...