How to update cacerts.txt of httplib2 for Github?
Question:
I am trying to use Github API with httplib2. But when I making requests to it’s endpoints, it gives me following error:
import httplib2
h = httplib2.Http()
h.request('https://api.github.com/gists')
# OUT: Traceback (most recent call last):
# OUT: File "<input>", line 1, in <module>
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1570, in request
# OUT: (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1317, in _request
# OUT: (response, content) = self._conn_request(conn, request_uri, method, body, headers)
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1252, in _conn_request
# OUT: conn.connect()
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1044, in connect
# OUT: raise SSLHandshakeError(e)
# OUT: SSLHandshakeError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I could use following workaround:
h = httplib2.Http(disable_ssl_certificate_validation=True)
h.request('https://api.github.com/gists')
# OUT: ({'content-length': '58443' ...
But this is still a workaround, and I am wondering how to properly validate SSL certificate for Github with httplib2. Searching Google I found that I should update cacerts.txt of that library, but don’t know how, and where get certificate authority for Github. Or is there any other right way to send requests throught https, without certificate verification problems?
Answers:
UPD: The easiest way is to open GitHub in Firefox, View Page info -> Security -> View Certificate -> Details -> Export -> As PEM file. And also it is better to use requests.
From the information which Firefox gives about https connection, I found out that certificate for GitHub is “DigiCert High Assurance EV Root CA”, which could be found here: http://curl.haxx.se/ca/cacert.pem
Text of certificate could be pasted to the httplib2.__path__ + '/cacerts.txt', or saved to separate file and than http connection should be created with:
h = httplib2.Http(ca_certs='/path/to/that/file')
just update httplib2 package by
pip install --upgrade httplib2
or you can replace cacerts.txt this file directly
https://github.com/httplib2/httplib2/blob/master/python2/httplib2/cacerts.txt
also if you use boto.txt file then you might use like
boto.txt
ca_certificates_file = /etc/ssl/certs/ca-bundle.crt <--- location of your system cert
or you can specify your httplib2 cacerts.txt file by
ca_certificates_file = /usr/local/lib/python2.7/dist-packages/httplib2/python2/httplib2/cacerts.txt
Starting in httplib2 version 0.12, you can specify your custom certificates path with an environment variable:
export HTTPLIB2_CA_CERTS="pathtoyourCA_certs_bundle"
As I mentioned in a similar question, this is useful when you are not using httplib2 directly in your code, but it is present as a transitive dependency and you can’t use the ca_cert function parameter.
Unfortunately they chose to not document this anywhere, except a passing mention in the Changelog and in the actual pull request.
I am trying to use Github API with httplib2. But when I making requests to it’s endpoints, it gives me following error:
import httplib2
h = httplib2.Http()
h.request('https://api.github.com/gists')
# OUT: Traceback (most recent call last):
# OUT: File "<input>", line 1, in <module>
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1570, in request
# OUT: (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1317, in _request
# OUT: (response, content) = self._conn_request(conn, request_uri, method, body, headers)
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1252, in _conn_request
# OUT: conn.connect()
# OUT: File "/usr/local/lib/python2.7/dist-packages/httplib2/__init__.py", line 1044, in connect
# OUT: raise SSLHandshakeError(e)
# OUT: SSLHandshakeError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I could use following workaround:
h = httplib2.Http(disable_ssl_certificate_validation=True)
h.request('https://api.github.com/gists')
# OUT: ({'content-length': '58443' ...
But this is still a workaround, and I am wondering how to properly validate SSL certificate for Github with httplib2. Searching Google I found that I should update cacerts.txt of that library, but don’t know how, and where get certificate authority for Github. Or is there any other right way to send requests throught https, without certificate verification problems?
UPD: The easiest way is to open GitHub in Firefox, View Page info -> Security -> View Certificate -> Details -> Export -> As PEM file. And also it is better to use requests.
From the information which Firefox gives about https connection, I found out that certificate for GitHub is “DigiCert High Assurance EV Root CA”, which could be found here: http://curl.haxx.se/ca/cacert.pem
Text of certificate could be pasted to the httplib2.__path__ + '/cacerts.txt', or saved to separate file and than http connection should be created with:
h = httplib2.Http(ca_certs='/path/to/that/file')
just update httplib2 package by
pip install --upgrade httplib2
or you can replace cacerts.txt this file directly
https://github.com/httplib2/httplib2/blob/master/python2/httplib2/cacerts.txt
also if you use boto.txt file then you might use like
boto.txt
ca_certificates_file = /etc/ssl/certs/ca-bundle.crt <--- location of your system cert
or you can specify your httplib2 cacerts.txt file by
ca_certificates_file = /usr/local/lib/python2.7/dist-packages/httplib2/python2/httplib2/cacerts.txt
Starting in httplib2 version 0.12, you can specify your custom certificates path with an environment variable:
export HTTPLIB2_CA_CERTS="pathtoyourCA_certs_bundle"
As I mentioned in a similar question, this is useful when you are not using httplib2 directly in your code, but it is present as a transitive dependency and you can’t use the ca_cert function parameter.
Unfortunately they chose to not document this anywhere, except a passing mention in the Changelog and in the actual pull request.