Cannot access api.cloudflare.com due to SSL certificate validation error

[marcelloromani]

I am trying to access the CloudFlare API using a custom API token. While the curl command provided by the web interface works, accessing the API via Python fails as it doesn't seem to recognise the SSL certificate.

How to reproduce:

Using a slightly modified version of this script: urllib3/urllib3#1682 (comment)
I get this error:

$ python3 ~/Desktop/check_ssl.py 
OS Darwin Darwin Kernel Version 20.3.0: Thu Jan 21 00:07:06 PST 2021; root:xnu-7195.81.3~1/RELEASE_X86_64
Python 3.9.2
OpenSSL OpenSSL 1.1.1j  16 Feb 2021
Requests 2.25.1
Urllib3 1.26.4
Issue detected
HTTPSConnectionPool(host='api.cloudflare.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)')))

Here's the script:

import platform
import ssl

import requests
import urllib3

print("OS", platform.system(), platform.version())
print("Python", platform.python_version())
print("OpenSSL", ssl.OPENSSL_VERSION)
print("Requests", requests.__version__)
print("Urllib3", urllib3.__version__)

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
s = requests.Session()
# s.verify = False
s.verify = True
try:
    s.request("GET", "https://api.cloudflare.com")
except Exception as e:
    print("Issue detected")
    print(e)
else:
    print("Issue not detected")

[marcelloromani]

Sorry, this relates to Python/SSL and has nothing to do with the CloudFlare library itself.

[mahtin]

Hello @marcelloromani, I saw your other note about having a "network monitoring app" installed and hence having a certificate issue; however, I wanted to provide you with some feedback to your initial issue.

First off, here's a run on my Mac desktop:

OS Darwin Darwin Kernel Version 20.3.0: Thu Jan 21 00:07:06 PST 2021; root:xnu-7195.81.3~1/RELEASE_X86_64
Python 3.8.7
OpenSSL OpenSSL 1.1.1i  8 Dec 2020
Requests 2.25.1
Urllib3 1.26.3
Issue not detected

Plus, a RPi4:

OS Linux #1333 SMP Mon Aug 10 16:51:40 BST 2020
Python 3.7.3
OpenSSL OpenSSL 1.1.1d  10 Sep 2019
Requests 2.21.0
Urllib3 1.24.1
Issue not detected

Note that I'm a revision or so behind you in various areas; but that isn't the issue you had. However, this error brings up a debugging issue. Can you try the command level app cli4 (part of this package) on your machine with your monitoring app installed and operating. I would like to see the error messages produced by that setup. Use this command:

$ cli4 -v /ips > /dev/null
...
$

I believe that it won't handle your setup cleanly (clearly it won't connect). I will then work on a cleaner error-handing for that situation. (Yes - I realize you were writing raw Python code to access the API vs using this package; however, I believe this is still a useful test).

Thanks!

[marcelloromani]

Hi @mahtin, thanks a lot for your reply!

Here's my output with the network monitoring app active:

$ cli4 -v /ips > /dev/null
2021-03-18 18:47:35,502 - Python Cloudflare API v4 - DEBUG - Call: emulated curl command ...
       curl -X GET "https://api.cloudflare.com/client/v4/ips" \
            -H "User-Agent: python-cloudflare/2.8.15/python-requests/2.25.1/python/3.9.2" \
            -H "Content-Type: application/json"
2021-03-18 18:47:35,566 - Python Cloudflare API v4 - DEBUG - Call: exception! "HTTPSConnectionPool(host='api.cloudflare.com', port=443): Max retries exceeded with url: /client/v4/ips (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)')))"
cli4: /ips - 0 connection failed.

Here's the same command with the network monitoring app disabled:

$ cli4 -v /ips > /dev/null
2021-03-18 18:49:49,383 - Python Cloudflare API v4 - DEBUG - Call: emulated curl command ...
       curl -X GET "https://api.cloudflare.com/client/v4/ips" \
            -H "User-Agent: python-cloudflare/2.8.15/python-requests/2.25.1/python/3.9.2" \
            -H "Content-Type: application/json"
2021-03-18 18:49:50,175 - Python Cloudflare API v4 - DEBUG - Response: 200, application/json, b'{"result":{"ipv4_cidrs"[truncated to avoid publishing sensitive information]
2021-03-18 18:49:50,176 - Python Cloudflare API v4 - DEBUG - Response: {'ipv4_cidrs': [truncated to avoid publishing sensitive information]

[lakshits11]

I am trying to access the CloudFlare API using a custom API token. While the curl command provided by the web interface works, accessing the API via Python fails as it doesn't seem to recognise the SSL certificate.

How to reproduce:

Using a slightly modified version of this script: urllib3/urllib3#1682 (comment) I get this error:

$ python3 ~/Desktop/check_ssl.py 
OS Darwin Darwin Kernel Version 20.3.0: Thu Jan 21 00:07:06 PST 2021; root:xnu-7195.81.3~1/RELEASE_X86_64
Python 3.9.2
OpenSSL OpenSSL 1.1.1j  16 Feb 2021
Requests 2.25.1
Urllib3 1.26.4
Issue detected
HTTPSConnectionPool(host='api.cloudflare.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)')))

Here's the script:

import platform
import ssl

import requests
import urllib3

print("OS", platform.system(), platform.version())
print("Python", platform.python_version())
print("OpenSSL", ssl.OPENSSL_VERSION)
print("Requests", requests.__version__)
print("Urllib3", urllib3.__version__)

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
s = requests.Session()
# s.verify = False
s.verify = True
try:
    s.request("GET", "https://api.cloudflare.com")
except Exception as e:
    print("Issue detected")
    print(e)
else:
    print("Issue not detected")

Hy today I am also having this error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.cloudflareclient.com', port=443): Max retries exceeded with url: /v0a835/reg (Caused by SSLError(SSLError(1, '[SSL] internal error (_ssl.c:1007)')))

Although running your custom script does not give any issue. Why is that? And can you also please help me

[mahtin]

I think you're not talking via a clean path to api.cloudflare.com (or api.cloudflareclient.com for that matter). You should re-run your example code against one of the sites listed under https://badssl.com. For example https://untrusted-root.badssl.com/ maybe. I think you will see the same Issue detected results.

As for your error on those specific URLs? I would check your path. Try it against known good domains like google.com or cnn.com or github.com etc. If you also fail; then you should check why. Maybe a root cert issue on your machine? Maybe a MITM somewhere? Maybe something else? Also try with sites hosted on Cloudflare that aren't the API like cloudflare.com or something from the https://hunter.io/technologies/cloudflare list. Confirm just where you are getting that error. BTW: I have run your Python code and I don't get an error.

Plus, don't do urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) unless you have a damn good reason to do that. It's a security risk as you won't know who you are talking too.

That all said, I'm happy to help, but this isn't an issue related to this library.