To all Python developers who interface with Amazon AWS, Rackspace, or Paypal (and others):
Did you suddenly start getting "[SSL: CERTIFICATE_VERIFY_FAILED]" ? The reason is here: https://github.com/certifi/python-certifi/issues/26
export REQUESTS_CA_BUNDLE=`python -c 'import certifi; print(certifi.old_where())'`
(You'll need to pip install "certifi" first perhaps)
Remember how everybody agreed that 1024bit certificates are no longer secure? (Refresher: https://www.symantec.com/page.jsp?id=1024-bit-migration-faq
Well, it turns out that some of the new 2048bit root CA certs were cross-signed with established 1024bit CA certs, which was a fine way to have them trusted before all the CA cert stores got updated. But now the 2048bit certs are in the trust stores, and the 1024bit certs are being ripped out. Which would be fine too, except
if you have an OpenSSL < 1.0.2.
Because OpenSSL < 1.0.2 will always try to validate an SSL cert chain up to the final
cert in the chain; not stopping if it reaches a cert already in its trust store.
You see the problem here. Those cross-signed certs are still technically valid -- any plenty secure at 2048bits -- but older OpenSSL (as on RHEL/CentOS 6 and Ubuntu 12 LTS) just can't handle their potentially-insecure issuer being removed from the trusted cert store.
Arguably its a reasonable position to take, since the issuer is potentially untrustworthy, but the existence of the new CA cert in the trust store really ought to take precedence.
OpenSSL >= 1.0.2 can be instructed to validate certs by the shortest trusted path. Python is patched to use this in 2.7.10/3.4.4, and python-requests will do it from 2.7.9 and 3.2.0 onward. But if you can't upgrade OpenSSL, the above workaround will suffice.
Or you could pressure your vendor to replace their SSL certificate with one that terminates its chain in a 2048bit root CA cert... but good luck with that.
As explained by: https://github.com/kennethreitz/requests/issues/2455#issuecomment-76627411
Oh, and if you want a stable target to test against, see https://www.symantec.com/page.jsp?id=roots
for a list of test sites using both VeriSign's 1024bit and 2048bit root CAs. Amazon's API endpoint are, FWIW, a moving target (some hosts behind their load balancers are apparently using the 2048bit root CA, some not).
Wow, I picked a great week to start using boto, huh?