Topic: Handling SSL Certificates?

Posted under e621 Tools and Applications

At 7am EDT today I started getting the below SSL certificate error when attempting to use my downloader tool. It was working 5 seconds earlier and nothing changed on my end, so I assume the website changed. Any idea what changed and now to fix it on my end? I looked at the certificates through Firefox and they seemed valid, though I don't know a lot about certificates.

I'm using the Python requests package. The first get() for the page json data is successful. The second get() for the image itself fails.

session = requests.Session()
  session.headers.update({'User-Agent': UserAgentStr})
  ...
  r = session.get(url, timeout=secondsUntilTimeout)
  ...
  r = session.get(imgLink, stream=True)
  ...
Error Msg

INFO:root:Downloading image (id: 2275195) (1): https://static1.e621.net/data/27/d2/27d2e0d93c83cbb705ea62c56ad49749.png
Traceback (most recent call last):
File "/usr/local/lib/python3.4/dist-packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/local/lib/python3.4/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.4/dist-packages/urllib3/connectionpool.py", line 994, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.4/dist-packages/urllib3/connection.py", line 360, in connect
ssl_context=context,
File "/usr/local/lib/python3.4/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.4/ssl.py", line 364, in wrap_socket
_context=self)
File "/usr/lib/python3.4/ssl.py", line 577, in __init__
self.do_handshake()
File "/usr/lib/python3.4/ssl.py", line 804, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/local/lib/python3.4/dist-packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/local/lib/python3.4/dist-packages/urllib3/util/retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='static1.e621.net', port=443): Max retries exceeded with url: /data/27/d2/27d2e0d93c83cbb705ea62c56ad49749.png (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/downloader.py", line 58, in downloadImage
r = session.get(imgLink, stream=True)
File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 543, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='static1.e621.net', port=443): Max retries exceeded with url: /data/27/d2/27d2e0d93c83cbb705ea62c56ad49749.png (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)'),))

Sat May 30 07:00:39 EDT 2020

Clients are supposed to automatically fail over to the alternate signing path in this situation, but I have forced the server provided chain to be the alternate path in the hopes that clients will use the updated certificate chain instead of incorrectly failing it.

It may also be prudent to check that your machine has the most up to date root certificate stores, as it should have failed over automatically with recent certificates and openssl versions. So this suggests that something may be out of date on your end.

Updated

That has fixed it, thanks.

Yes my machine is a little out of date. I've been planning to wipe it out and start over with perhaps a version of BSD but haven't gotten to that yet. I didn't realize certificates were part of that, for some reason I thought they auto-updated. Installing latest updates upgraded some DNS libraries, but nothing that looked related to SSL. I'm on LMDE.

Thanks for the advice. If the problem comes back I'll reinstall the OS.

  • 1