Drop-in Replacement to certifi that includes ICP Brasil root certificates
Project description
certifi + ICP Brasil
This package is meant to act as a drop-in replacement to certifi for use with requests that includes all of the same Mozilla root CA certificates, but also includes all of the ICP Brasil root CAs made available here.
The reason why this package exists is that for regulatory and political reasons, many Brazilian government websites use the country-specific ICP Brasil certification scheme, which is not distributed by default by major browsers and operating system distributions. This causes a lot of problems for developers that need to programatically interact with those services.
This is an example of the sort of issue you’ll encounter by default:
>>> import requests
>>> requests.get('https://portalunico.siscomex.gov.br/')
Traceback (most recent call last):
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 603, in urlopen
chunked=chunked)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
self._validate_conn(conn)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 843, in _validate_conn
conn.connect()
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/connection.py", line 370, in connect
ssl_context=context)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 355, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 412, in wrap_socket
session=session
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 853, in _create
self.do_handshake()
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/connectionpool.py", line 641, in urlopen
_stacktrace=sys.exc_info()[2])
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='portalunico.siscomex.gov.br', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/Users/asieira/.virtualenvs/certifi_icpbr/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='portalunico.siscomex.gov.br', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056)')))
Usage
The recommended way of using this package is to take advange of the verify parameter used throughout requests to allow the default root CAs file to be overridden:
>>> import requests
>>> import certifi_icpbr
>>> requests.get('https://portalunico.siscomex.gov.br/', verify=certifi_icpbr.where())
<Response [200]>
Alternatively, it is possible to monkey-patch requests so that it uses this package’s root CAs file by default. This is risky and can stop working in future versions ofrequests, so it is strongly recommended you use the first approach if possible. This is the same example using that approach:
>>> import certifi_icpbr
>>> certifi_icpbr.patch_requests()
>>> import requests
>>> requests.get('https://portalunico.siscomex.gov.br/')
<Response [200]>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
