In one of my Windows 10 computers I'm not able to urlopen sites which use R3 certificates. The same is reported by several of the users of my software.

Following is taken from a session in the fresh IDLE 3.10 in up-to date Windows 10:


Python 3.10.0 (tags/v3.10.0:b494f59, Oct  4 2021, 18:46:30) [MSC v.1929 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license()" for more information.
>>> from urllib.request import urlopen
>>> urlopen("https://openssl.org")
Traceback (most recent call last):
  File "C:\Python310-32\lib\urllib\request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Python310-32\lib\http\client.py", line 1276, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1322, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1271, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python310-32\lib\http\client.py", line 1031, in _send_output
    self.send(msg)
  File "C:\Python310-32\lib\http\client.py", line 969, in send
    self.connect()
  File "C:\Python310-32\lib\http\client.py", line 1448, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Python310-32\lib\ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Python310-32\lib\ssl.py", line 1070, in _create
    self.do_handshake()
  File "C:\Python310-32\lib\ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<pyshell#1>", line 1, in <module>
    urlopen("https://openssl.org")
  File "C:\Python310-32\lib\urllib\request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python310-32\lib\urllib\request.py", line 519, in open
    response = self._open(req, data)
  File "C:\Python310-32\lib\urllib\request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Python310-32\lib\urllib\request.py", line 496, in _call_chain
    result = func(*args)
  File "C:\Python310-32\lib\urllib\request.py", line 1391, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Python310-32\lib\urllib\request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997)>



In the same session, requests works fine:

>>> import requests
>>> requests.get("https://openssl.org")
<Response [200]>



It's really weird, that in my another Windows 10, also 64-bit, having same state of updates, using same version of Python 3.10, connected to the same network -- everything works fine. Neither of the computers use any extra network middleware or proxies.

In both computers Chrome and Firefox are happy with the certificate of https://openssl.org

Same applies to Python 3.7

It must be somehow related to https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates

Are you sure that all updates on the failing machine have been correctly
installed ? It's possible that the list of CA root certs is not up to date
on the machine.

You can use certmgr.msc to check the list of installed CA root certs.

I can list the root certs with certmgr, but I'm not sure which piece to investigate further. 

Even if there is problem with installed certs, it's interesting, why doesn't it bother the browsers and requests? Maybe this is opportunity to make something better in urllib?

On 05.10.2021 12:48, Aivar Annamaa wrote:
> 
> I can list the root certs with certmgr, but I'm not sure which piece to investigate further. 

Check the certs in the LE chain as listed on the page you quoted
and compare them to the working installation.

> Even if there is problem with installed certs, it's interesting, why doesn't it bother the browsers and requests? Maybe this is opportunity to make something better in urllib?

Browsers and requests use their own list of trusted CAs.

I was not able to find out why one of my Windows box failed to update the certificate store, but I was able to work around this by manually installing https://letsencrypt.org/certs/lets-encrypt-r3.der

It looks like this is actually a Windows problem, so I'm closing this issue.

If anyone is having this issue too, you can find more informations at https://community.letsencrypt.org/t/potential-problem-with-r3-intermediates-on-windows-servers/157164, it looks like Windows keeps using expired certificates until rebooted.
A solution is to remove the expired R3 intermediary from the store, forcing Window to use the newer.