SSL verification fails for some sites inside windows docker container

[mika-fischer]

BPO	36137
Nosy	@tiran, @matrixise, @tianon, @mika-fischer
Superseder	bpo-36137: SSL verification fails for some sites inside windows docker container

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2021-04-19.19:55:41.995>
created_at = <Date 2019-02-27.14:34:57.531>
labels = ['expert-SSL', '3.8', 'type-bug', '3.7']
title = 'SSL verification fails for some sites inside windows docker container'
updated_at = <Date 2021-04-19.19:55:41.994>
user = 'https://github.com/mika-fischer'

bugs.python.org fields:

activity = <Date 2021-04-19.19:55:41.994>
actor = 'christian.heimes'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-04-19.19:55:41.995>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2019-02-27.14:34:57.531>
creator = 'Mika Fischer'
dependencies = []
files = []
hgrepos = []
issue_num = 36137
keywords = []
message_count = 9.0
messages = ['336761', '336763', '336764', '336766', '336767', '336804', '336806', '336823', '391395']
nosy_count = 4.0
nosy_names = ['christian.heimes', 'matrixise', 'tianon', 'Mika Fischer']
pr_nums = []
priority = 'normal'
resolution = 'duplicate'
stage = 'resolved'
status = 'closed'
superseder = '36137'
type = 'behavior'
url = 'https://bugs.python.org/issue36137'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8']

[mika-fischer]

Inside a windows docker container, SSL verification fails for some but not all hosts.

See this issue over in the docker repo:
docker-library/python#359

Maybe you guys could shed some light on what could be the possible.

To reproduce, install Docker for Windows and then:

This works:

docker run -ti python:3.7-windowsservercore-1809 python -c "import urllib.request as r; r.urlopen('https://bootstrap.pypa.io').close()"

This doesn't

docker run -ti python:3.7-windowsservercore-1809 python -c "import urllib.request as r; r.urlopen('https://google.com').close()"
Traceback (most recent call last):
  File "C:\Python\lib\urllib\request.py", line 1317, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "C:\Python\lib\http\client.py", line 1229, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python\lib\http\client.py", line 1275, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1016, in _send_output
    self.send(msg)
  File "C:\Python\lib\http\client.py", line 956, in send
    self.connect()
  File "C:\Python\lib\http\client.py", line 1392, in connect
    server_hostname=server_hostname)
  File "C:\Python\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Python\lib\ssl.py", line 853, in _create
    self.do_handshake()
  File "C:\Python\lib\ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "C:\Python\lib\urllib\request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python\lib\urllib\request.py", line 525, in open
    response = self._open(req, data)
  File "C:\Python\lib\urllib\request.py", line 543, in _open
    '_open', req)
  File "C:\Python\lib\urllib\request.py", line 503, in _call_chain
    result = func(*args)
  File "C:\Python\lib\urllib\request.py", line 1360, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "C:\Python\lib\urllib\request.py", line 1319, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>

[matrixise]

I can't reproduce it with python 3.8a2 and I don't have a laptop with Windows.

[mika-fischer]

Sorry if I wasn't completely clear. This issue occurs only on Windows and only when running python inside a windows docker container.

The question is what is python using on Windows to verify SSL certificates and what might be different inside the container that might let that process fail for some hosts and not for others...

[matrixise]

sure, I have just confirmed that this error does not occur with the last python 3.8a2 and that I don't have a Windows system for an eventual debugging session.

[tiran]

This is probably a duplicate of bpo-36137. Windows doesn't have CA certs pre-installed. They are downloaded from the update server on demand. Python doesn't trigger the update but only uses certs that are already present.

It's a design flaw in my implementation. I wasn't aware of Windows' behavior when I hooked up the Windows cert store to the SSL module.

[mika-fischer]

This is probably a duplicate of bpo-36137.

I think you mixed up the issue number, bpo-36137 is this issue.

Windows doesn't have CA certs pre-installed. They are downloaded from the update server on demand. Python doesn't trigger the update but only uses certs that are already present. It's a design flaw in my implementation. I wasn't aware of Windows' behavior when I hooked up the Windows cert store to the SSL module.

Oh, so that means that it is broken on normal Windows as well and only works coincidentally?

In any case, I can confirm that when the certificate is fetched using some other means, the request works:

docker run -ti python:3.7-windowsservercore-1809 powershell -command "(New-Object System.Net.WebClient).DownloadString(\"https://google.com\") >$null; python -c \"import urllib.request as r; r.urlopen('https://google.com').close()\""

[mika-fischer]

The easiest workaround I found (on Windows 10) is to use

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

before using Python...

[tiran]

Err, I meant bpo-36011

The enum cert store trick only breaks on a fresh installation. If you have used Windows for a bit (e.g. downloaded Firefox with Edge *g*), the root CA store is filled with common CA certs. Your certutil trick also works, as it triggers cert retrieval and update from Windows Update Server.

[tiran]

I'm closing this issue as duplicate of bpo-36137. There is no need to keep two issues open for the same problem.