Forums

Hi,

I would to first thank you for this amazing website. I have been using for a long time now and I greatly appreciate how good the free tier is and PythonAnywhere in general. So thank you so much guys.

I have an issue when I connect to https://habitica.com I get :

15:18 ~ $ curl https://habitica.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Could you please help me with that?

Much appreciated

It looks like our CA certificate bundle is getting a bit old. You can download a more up-to-date one here and put it somewhere in your files storage. Then you can use the --cacert option to curl to point to that file. Alternatively, you can use the -k option.

It's breaking my python application. Are there any plans to update the CA bundle ? Thanks

I've downloaded the bundle. Still doesn't help. I believe that it's an OS update issue. Works just fine on the latest ubuntu. Also seems like the latest bundle still has addtrust which expired hours ago.

As a work around the SSL bug I created a modfied bundle that doesn't have addtrust and did:

import os
os.environ['REQUESTS_CA_BUNDLE'] = "/path/to/cacert.pem"

I would appreciate it if you notify me when this is fixed so that I could remove my workaround

No problem. We'll let you know.

Hi SirTen,

Would you mind sharing the CA bundle you have? I've tried taking the PEM file from https://curl.haxx.se, removing the AddTrust entry, and specifying via the "os.environ['REQUESTS_CA_BUNDLE'] = ..." line you posted, but I'm still encountering SSL issues.

Hey plumautoreposter,

The CA bundle is the last file one should be taking from strangers. Simply remove:

AddTrust External Root
======================
-----BEGIN CERTIFICATE-----
............................
-----END CERTIFICATE-----

And upload the file after saving it. This will fix the issue with the Requests library during code execution. Are you using "Requests: HTTP for Humans™" library or another library to initiate the request? Because that env var is specific to the requests library.

Also make sure to set it at the top/start/first lines of your application. Note that removing that entry will not fix curl.

Oh, that's it; I don't send requests, I receive them, so I use Flask, not Requests. Thanks for pointing to this, I will try to figure something out.

Hi, I'm facing the same problem with server certificate verification failing using curl. I used the latest .pem from https://curl.se/docs/caextract.html and specified the path to the certificate using --cacert option but still does not work. I also tried including the -U <username:password> option but still not working. It only works with the -k option but I would prefer other alternatives. Any update on this topic?

Thank you very much.

What exactly are you doing? (Send it to support@pythonanywhere.com if you want to avoid posting it on public forums)