Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClientConnectorCertificateError / SSLCertVerificationError after update (regression) #9869

Open
1 task done
Julian-J-S opened this issue Nov 14, 2024 · 6 comments
Open
1 task done
Labels
bug needs-info Issue is lacking sufficient information and will be closed if not provided Stale

Comments

@Julian-J-S
Copy link

Describe the bug

Great library which gave me nice performence improvements 😎
BUT unfortunately updating aiohttp dependency recently of a project causes ClientConnectorCertificateError / SSLCertVerificationError.

Using "requests" everything works as expected ✔️

requests.post(
    url=URL,
    headers=HEADERS,
    json=JSON,
    },
).json()

Using "aiohttp" worked in the past (!) but raises now ❌

async with aiohttp.ClientSession() as session:
    async with session.post(
        url=URL,
        headers=HEADERS,
        json=JSON,
        # ssl=False,  # <<< only works with ssl=False...
    ) as response:
        response_json = await response.json()

The only solution I found is ssl=False which is no option.
Also "requests" uses ssl by default and there is no problem.

To Reproduce

see description.

Expected behavior

I expect this to work like it did before.
This is a breaking change (at least for me) so this was very unexpected and problematic.

Logs/tracebacks

ClientConnectorCertificateError: Cannot connect to host <XXX>:443 ssl:True [SSLCertVerificationError: (5, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1020)')]

Python Version

$ python --version
3.13

aiohttp Version

$ python -m pip show aiohttp
3.11.0

multidict Version

$ python -m pip show multidict
I dont use "pip" but "uv"

propcache Version

$ python -m pip show propcache
I dont use "pip" but "uv"

yarl Version

$ python -m pip show yarl
I dont use "pip" but "uv"

OS

Windows

Related component

Client

Additional context

No response

Code of Conduct

  • I agree to follow the aio-libs Code of Conduct
@Julian-J-S Julian-J-S added the bug label Nov 14, 2024
@Dreamsorcerer
Copy link
Member

unfortunately updating aiohttp dependency

Please provide version numbers.

Could maybe be related to the change to aiohappyeyeballs, but not too sure how. Otherwise, this typically indicates your certificates are not installed/accessible/up-to-date. You can use certifi (which requests uses by default) by following the docs: https://docs.aiohttp.org/en/stable/client_advanced.html#example-use-certifi

@Dreamsorcerer Dreamsorcerer added the needs-info Issue is lacking sufficient information and will be closed if not provided label Nov 14, 2024
@Julian-J-S
Copy link
Author

unfortunately updating aiohttp dependency

Please provide version numbers.

Could maybe be related to the change to aiohappyeyeballs, but not too sure how. Otherwise, this typically indicates your certificates are not installed/accessible/up-to-date. You can use certifi (which requests uses by default) by following the docs: https://docs.aiohttp.org/en/stable/client_advanced.html#example-use-certifi

Thanks a lot for your help! 😄

I got it working like this:

async with aiohttp.ClientSession(
    connector=aiohttp.TCPConnector(ssl=ssl.create_default_context(cafile=certifi.where())),
) as session:
    ...

I am right now on aiohttp=3.11.0 but cannot tell you the previous version.
However, I am 100% sure that the original code worked without additional ssl magic!

Would love to see it working again by default without this additional "overhead".

@Dreamsorcerer
Copy link
Member

Without knowing the version, it's difficult to tell what might have changed. It could also be something else changed on your system that caused the system certificates to not be found. Or, maybe the site your connecting to has deployed a new certificate, with a CA that is not present in your system certificates. The aiohttp upgrade could just be a coincidence, so it'd need more testing to rule it out.

@bdraco
Copy link
Member

bdraco commented Nov 14, 2024

I looked at the changes between 3.10 and 3.11 and didn't find anything related to SSL that would cause this. If I had to guess, I'd expect its due to a dependency change unless aiohttp was being upgraded from a very old version.

@oussama-gourari
Copy link

Having similar problem after upgrading to Python 3.13:
ClientConnectorCertificateError: Cannot connect to host oauth.battle.net:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)')]

@bdraco
Copy link
Member

bdraco commented Nov 27, 2024

Thats likely due to the openssl version requiring the certificate to meet newest CAB forum requirements and comply with the RFC https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9

@github-actions github-actions bot added the Stale label Dec 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug needs-info Issue is lacking sufficient information and will be closed if not provided Stale
Projects
None yet
Development

No branches or pull requests

4 participants