SSL: CERTIFICATE_VERIFY_FAILED behind proxy

[blcktgr73]

Hi,

I have proxy server to use and try to send simple message.

token = 'Blah-Blah;
proxy_endpoint = 'http://proxyserverip:8080'
slack = Slacker(token,
http_proxy=proxy_endpoint,
https_proxy=proxy_endpoint,)
slack.chat.post_message('#somechannel', 'Hello!!')

However, error message comes as below
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

I think there is some way to walk around disabling verify with get(..., verify=False).
Is this bug? Is there a way to do this walk around?

SB

[blcktgr73]

I found temporary solution on this after trying to googling more on similar issues.

Below code works fine, however this has potential security issue. In addition, I think it needed to make a way to enable and disable certification verification during slacker creation.

        response = method(API_BASE_URL.format(api=api),
                          timeout=self.timeout,
                          proxies=self.proxies,
                          verify=False,
                          **kwargs)

SB

[jonbackhaus]

I have a similar issue with a twist: our firewall blocks slack.com but allows workspace.slack.com. So I think I need to change the base URL used for the API request. Any thoughts?

[blcktgr73]

I found a better fix for this. Actually, the root casue of this issue is that the user's own company cert file is not included in configuration file of certifi package (C:\Python\Python37-32\Lib\site-packages\certifi\cacert.pem). You can refer following link: https://stackoverflow.com/questions/52870795/windows-python-ssl-certificate-verify-failed

As described in the link, you need to add custom ca at the end of cacer.pem file.

Another link for doing this with python script : https://incognitjoe.github.io/adding-certs-to-requests.html

I think this link is also helpful understand certificate related issue for python: https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows

[os]

I have a similar issue with a twist: our firewall blocks slack.com but allows workspace.slack.com. So I think I need to change the base URL used for the API request. Any thoughts?

Hi, @jonbackhaus. I didn't know that it's possible to use a different URL. What do you think about adding an optional init parameter like base_url or base_api_url where you can pass workspace.slack.com instead?

[os]

I found a better fix for this. Actually, the root casue of this issue is that the user's own company cert file is not included in configuration file of certifi package (C:\Python\Python37-32\Lib\site-packages\certifi\cacert.pem). You can refer following link: https://stackoverflow.com/questions/52870795/windows-python-ssl-certificate-verify-failed

As described in the link, you need to add custom ca at the end of cacer.pem file.

Another link for doing this with python script : https://incognitjoe.github.io/adding-certs-to-requests.html

I think this link is also helpful understand certificate related issue for python: https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows

Hi, @blcktgr73. So you can fix this issue without any code changes? Do we still need the verify parameter?