IBM Z and LinuxONE - IBM Z - Group home

How to fix “certificate verify failed: self signed certificate in certificate chain”or “certificate verify failed: unable to get local issuer certificate” error while verifying certificates to SSL enabled website in python3 scripts

  

Overview of the problem

When using Python to connect to z/OSMF, you might see the following errors:

   "certificate verify failed: self signed certificate in certificate chain"
OR
   "certificate verify failed: unable to get local issuer certificate"

This might be caused either by server configuration or Python configuration. In this article, we assume you use a self-signed CA certificate in z/OSMF. We will guide you step by step to workaround the certification error. You can choose either workaround if you wish.

  • Workaround 1: verify = False
  • Workaround 2: verify = CAfile (Specify a certificate in the PARM)
  • Workaround 3: verify = True (Update key store in Python)

self signed certificate

If your z/OSMF was configured with self signed certificate, the python3 output error is:
certificate verify failed: self signed certificate in certificate chain

  • Workaround 1: verify = False
          Setting verify = False will skip SSL certificate verification.

  • Workaround 2: verify = CAfile (Specify a certificate in the PARM)
          The CAfile must be set to the CA certificate Bundle, if you set it as the server certificate, you will get the above error.

  • Workaround 3: Verify = True (Update key store in Python)
The default value for parameter verify is True. Python 3.6+ installer has its own default certificate store for verifying SSL connections. The system certificate store will  not be used any more. To use default certificate store, python library certifi must be installed in advance, you can use command "pip3 install certifi" to install it. Python default certificate store was in cacert.pem file, you can get it by

       >>> import certifi
       >>> certifi.where()
        '/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/certifi/cacert.pem'

If you get the above error, it means that your CA certificate was not included in cacert.pem, please use below command to add it:
     For Mac or Linux:
          $ cat [full path of your-cacert.pem] >> [full path of cacert.pem]
     For Windows:
          C:\type [full path of your-cacert.pem] >> [full path of cacert.pem]

CA signed certificate

If your z/OSMF was configured with CA signed certificate, the python3 output error is:
certificate verify failed: unable to get local issuer certificate
  • Workaround 1: verify = False
          Setting verify = False will skip SSL certificate verification.

  • Workaround 2: verify = CAfile (Specify a certificate in the PARM)
          The CAfile is a CA certificate Bundle, it must be the Root CA certificate. If it is not a Root CA certificate, the above error will be showed.

  • Workaround 3: Verify = True (Update key store in Python)
The default value for parameter verify is True. Python 3.6+ installer has its own default certificate store for verifying SSL connections. The system certificate store will not be used any more. To use default certificate store, python library certifi must be installed in advance, you can use command “pip3 install certifi”to install it. Python default certificate store was in cacert.pem file, you can get it by

        >>> import certifi
        >>> certifi.where()
        '/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/site-packages/certifi/cacert.pem'

If you get the above error, it means that your Root CA certificate was not included in cacert.pem, please use below command to add it:
     For Mac or Linux:
           $ cat [full path of your-Root-cacert.pem] >> [full path of cacert.pem]
     For Windows:
           C:\type [full path of your-Root-cacert.pem] >> [full path of cacert.pem]

How to export z/OSMF CA certificate


  • Export CA certificate from z/OS
      1. RACDCERT EXPORT(LABEL('zOSMFCA')) DSN('IBMUSER.CACERT.IBMUSER.CRT') FORMAT(CERTDER) CERTAUTH

      Where:
  • zOSMF is the label of the CA certificate.
  • IBMUSER.CACERT.IBMUSER.CRT is the data set that will contain the client certificate. RACF command will auto-create this dataset
  • CERTDER indicates that certificate is in DER format
     2. Download the CA certificate from z/OS
     3. Convert to PEM format
          openssl x509 -in zOSMFCA.crt -inform der -outform pem -out zOSMFCA.pem