subject:"\[issue45372\] Unwarranted \"certificate has expired\" when urlopen\-ing R3 sites"

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-11-01 Thread Alexandre



Alexandre  added the comment:

If anyone is having this issue too, you can find more informations at 
https://community.letsencrypt.org/t/potential-problem-with-r3-intermediates-on-windows-servers/157164,
 it looks like Windows keeps using expired certificates until rebooted.
A solution is to remove the expired R3 intermediary from the store, forcing 
Window to use the newer.

--
nosy: +u36959

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-10-06 Thread Aivar Annamaa



Aivar Annamaa  added the comment:

I was not able to find out why one of my Windows box failed to update the 
certificate store, but I was able to work around this by manually installing 
https://letsencrypt.org/certs/lets-encrypt-r3.der

It looks like this is actually a Windows problem, so I'm closing this issue.

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-10-05 Thread Marc-Andre Lemburg



Marc-Andre Lemburg  added the comment:

On 05.10.2021 12:48, Aivar Annamaa wrote:
> 
> I can list the root certs with certmgr, but I'm not sure which piece to 
> investigate further. 

Check the certs in the LE chain as listed on the page you quoted
and compare them to the working installation.

> Even if there is problem with installed certs, it's interesting, why doesn't 
> it bother the browsers and requests? Maybe this is opportunity to make 
> something better in urllib?

Browsers and requests use their own list of trusted CAs.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-10-05 Thread Aivar Annamaa



Aivar Annamaa  added the comment:

I can list the root certs with certmgr, but I'm not sure which piece to 
investigate further. 

Even if there is problem with installed certs, it's interesting, why doesn't it 
bother the browsers and requests? Maybe this is opportunity to make something 
better in urllib?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-10-05 Thread Marc-Andre Lemburg



Marc-Andre Lemburg  added the comment:

Are you sure that all updates on the failing machine have been correctly
installed ? It's possible that the list of CA root certs is not up to date
on the machine.

You can use certmgr.msc to check the list of installed CA root certs.

--
nosy: +lemburg

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

2021-10-05 Thread Aivar Annamaa



New submission from Aivar Annamaa :

In one of my Windows 10 computers I'm not able to urlopen sites which use R3 
certificates. The same is reported by several of the users of my software.

Following is taken from a session in the fresh IDLE 3.10 in up-to date Windows 
10:


Python 3.10.0 (tags/v3.10.0:b494f59, Oct  4 2021, 18:46:30) [MSC v.1929 32 bit 
(Intel)] on win32
Type "help", "copyright", "credits" or "license()" for more information.
>>> from urllib.request import urlopen
>>> urlopen("https://openssl.org";)
Traceback (most recent call last):
  File "C:\Python310-32\lib\urllib\request.py", line 1348, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Python310-32\lib\http\client.py", line 1276, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1322, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1271, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1031, in _send_output
self.send(msg)
  File "C:\Python310-32\lib\http\client.py", line 969, in send
self.connect()
  File "C:\Python310-32\lib\http\client.py", line 1448, in connect
self.sock = self._context.wrap_socket(self.sock,
  File "C:\Python310-32\lib\ssl.py", line 512, in wrap_socket
return self.sslsocket_class._create(
  File "C:\Python310-32\lib\ssl.py", line 1070, in _create
self.do_handshake()
  File "C:\Python310-32\lib\ssl.py", line 1341, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: certificate has expired (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "", line 1, in 
urlopen("https://openssl.org";)
  File "C:\Python310-32\lib\urllib\request.py", line 216, in urlopen
return opener.open(url, data, timeout)
  File "C:\Python310-32\lib\urllib\request.py", line 519, in open
response = self._open(req, data)
  File "C:\Python310-32\lib\urllib\request.py", line 536, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Python310-32\lib\urllib\request.py", line 496, in _call_chain
result = func(*args)
  File "C:\Python310-32\lib\urllib\request.py", line 1391, in https_open
return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Python310-32\lib\urllib\request.py", line 1351, in do_open
raise URLError(err)
urllib.error.URLError: 



In the same session, requests works fine:

>>> import requests
>>> requests.get("https://openssl.org";)




It's really weird, that in my another Windows 10, also 64-bit, having same 
state of updates, using same version of Python 3.10, connected to the same 
network -- everything works fine. Neither of the computers use any extra 
network middleware or proxies.

In both computers Chrome and Firefox are happy with the certificate of 
https://openssl.org

Same applies to Python 3.7

It must be somehow related to 
https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates

--
messages: 403208
nosy: aivarannamaa
priority: normal
severity: normal
status: open
title: Unwarranted "certificate has expired" when urlopen-ing R3 sites
versions: Python 3.10, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

[issue45372] Unwarranted "certificate has expired" when urlopen-ing R3 sites

6 matches

Site Navigation

Mail list logo

Footer information