New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL verification fails for some sites inside windows docker container #80318
Comments
Inside a windows docker container, SSL verification fails for some but not all hosts. See this issue over in the docker repo: Maybe you guys could shed some light on what could be the possible. To reproduce, install Docker for Windows and then: This works:
This doesn't
|
I can't reproduce it with python 3.8a2 and I don't have a laptop with Windows. |
Sorry if I wasn't completely clear. This issue occurs only on Windows and only when running python inside a windows docker container. The question is what is python using on Windows to verify SSL certificates and what might be different inside the container that might let that process fail for some hosts and not for others... |
sure, I have just confirmed that this error does not occur with the last python 3.8a2 and that I don't have a Windows system for an eventual debugging session. |
This is probably a duplicate of bpo-36137. Windows doesn't have CA certs pre-installed. They are downloaded from the update server on demand. Python doesn't trigger the update but only uses certs that are already present. It's a design flaw in my implementation. I wasn't aware of Windows' behavior when I hooked up the Windows cert store to the SSL module. |
I think you mixed up the issue number, bpo-36137 is this issue.
Oh, so that means that it is broken on normal Windows as well and only works coincidentally? In any case, I can confirm that when the certificate is fetched using some other means, the request works:
|
The easiest workaround I found (on Windows 10) is to use
before using Python... |
Err, I meant bpo-36011 The enum cert store trick only breaks on a fresh installation. If you have used Windows for a bit (e.g. downloaded Firefox with Edge *g*), the root CA store is filled with common CA certs. Your certutil trick also works, as it triggers cert retrieval and update from Windows Update Server. |
I'm closing this issue as duplicate of bpo-36137. There is no need to keep two issues open for the same problem. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: