4

I’m trying to access an endpoint, which requires a client cert. I’m starting from a .p12, which I was able to quickly import to Google Chrome, and can successfully access the endpoint. So the client certificate and endpoint are compatible.

However, I’m struggling to get Python Requests module (with Python 2.7) to successfully access the same endpoint.

My steps have been:

  • openssl pkcs12 -in my.p12 -out certificate.pem –nodes prompts me for a password, then creates certificate.pem
  • print(requests.get("<https://endpoint>", cert="certificate.pem").content) returns You don't have permission to access "http" on this server. (and a HTTP response of 403)

My PEM file contains three sets of -----BEGIN CERTIFICATE-----, and then -----BEGIN PRIVATE KEY-----. All 4 BEGINs are preceded by Bag Attributes – removing these lines doesn’t make a difference.

I'm doing the key creation with a Ubuntu VM, but running the Python from a Windows machine - not sure if this makes a difference.

I’d welcome any ideas; particularly to understand if the issue is around the conversion to PEM, or if it’s with the request call.

Chris
  • 585
  • 3
  • 12
  • 26
  • I’ve tried this method (which just seems to split out the private key): https://github.com/requests/requests/issues/1573#issuecomment-188125157 I’ve also tried this sample: https://gist.github.com/erikbern/756b1d8df2d1487497d29b90e81f8068 Both of these still give the same HTTP 403 response. – Chris Apr 10 '18 at 15:28
  • Can you try with this command `openssl pkcs12 -in my.p12 -clcerts -nokeys -out publicCert.pem` and use the `publicCert.pem` and see if it helps. – Tarun Lalwani Apr 14 '18 at 05:48
  • Thanks for contributing @TarunLalwani - unfortunately that gives an error in Python: `OpenSSL.SSL.Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]` – Chris Apr 16 '18 at 10:13
  • Can you try adding a `-outform PEM` also to the command? the export file should have `----- START CE....` at the start and should be a text file and it should be a single cert – Tarun Lalwani Apr 16 '18 at 10:22
  • OpenSSL on Ubuntu and Windows don't seem to accept the `outform` parameter. My export includes "Bag Attributes"; with `-----BEGIN CERTIFICATE-----` being line 5. Removing the first 4 lines doesn't make a difference. – Chris Apr 17 '18 at 10:12
  • Please mention the exact Python version – Tarun Lalwani Apr 17 '18 at 10:15
  • Sorry - I'm on Python 2.7.8 – Chris Apr 19 '18 at 10:32

2 Answers2

0

The error is not indicative of a problem with the client certificate.

If your client certificate were the problem the documentation suggests your error would have been prefixed with "SSLError": http://docs.python-requests.org/en/master/user/advanced/#client-side-certificates

The relevant error is likely in the part you are censoring for privacy reasons. Having achieved authentication, the web server is rejecting your request for some other reason.

Possibly you are calling requests.get('https://website.com', ...

You may need to call requests.get('https://website.com/', ...

Or directly request a file resource within the website. When testing with Chrome, a non-displayed trailing '/' may have been used when Chrome made the request to the web server. Try adding / to the end of the address.

Certainly you shouldn't be using the "<" ">" tags shown in your example.

fasta
  • 361
  • 1
  • 5
  • My request is of the form: https://subdomains.domain.com/?value&param1=value1&param2=value2 Adding a trailing / doesn't fix unfortunately. – Chris Apr 24 '18 at 16:15
0

I found https://gist.github.com/erikbern/756b1d8df2d1487497d29b90e81f8068, with the delete=False param as suggested in those comments, and pyOpenSSL, now works.

Chris
  • 585
  • 3
  • 12
  • 26