1

My code and the PEM version of my cert are not working to automatically log me into a site from which I need to download a file. Can someone please help?!

I know that I'm using the correct client certificate, because I can download the file manually via Internet Explorer using the certificate. Furthermore, my code for automating this task used to work. What changed: I obtained an updated certificate which I now need to use.

The cert is provided to me in .pfx format. In order to use the urllib.request.urlopen command in python 3.5, I need to convert it into .PEM file format. Months ago when I first solved this issue, I could have sworn I performed that conversion with a built-in Windows utility. However I cannot figure out how to do that again. When in IE I select Tools >> Internet Options >> Content >> Certificates >> (select the cert) Export >> Next >> Yes, export the private key -- it does not allow me to export the file in Base-64 encoded X.509 (it's grayed out) which I understand uses PEM. I need that private key.

So, my other option is to use the OpenSSL pkcs12 utility. Here's the syntax:

OpenSSL> pkcs12 -in "C:\Users\Default\Documents\cert.pfx" -out "C:\Users\Default\Documents\cert.pem" -nodes

It generates the file, then in python:

from urllib.request import urlopen
from ssl import create_default_context
from shutil import copyfileobj

context = create_default_context()
context.load_cert_chain(r'C:\Users\Default\Documents\cert.pem')

with urlopen(url, context=context) as response, open(dl_path, 'wb') as out_file:
    copyfileobj(response, out_file)

Note: the url is identical to what I use in my web browser. I receive the following errors:

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)>

Upon inspection with notepad, the generated file looks very similar to the .PEM file for the old certificate.

I have done a lot of searching and tried to figure this out, but at this point, I don't know where to turn. Can someone please help?!

jww
  • 97,681
  • 90
  • 411
  • 885
jajames
  • 11
  • 3
  • What happens when you don't use a client certificate? Do you get the same error? I ask because that error message seems to suggest the server certificate is the one that can't be verified. – kichik Nov 28 '17 at 23:30
  • Thanks for your reply. Hmmm...when I leave the "context" out of the urlopen call, I get the exact same error. Which as an error message seems generally unhelpful. The thing is, I know the server cert is working too...as I mentioned, I can connect to it manually when I use a browser. – jajames Nov 29 '17 at 00:42

0 Answers0