Message 335850 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	chris-k
Recipients	chris-k, christian.heimes, paul.moore, steve.dower, tim.golden, zach.ware
Date	2019-02-18.16:50:46
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1550508646.46.0.163565845406.issue36011@roundup.psfhosted.org>
In-reply-to

Content
quick addition: It looks like all recent Windows versions (Win8/Server 2012, Win8.1/Server 2012R2, Win10 (older versions)/Server 2016, Win10-1809/Server 2019 behave the same (= only very few RootCAs are pre-installed out of the box, additional ones are added on the fly when HTTPS requests are being made via the SCHANNEL api). Possible workaround for Windows admins: Import the RootCA certs from "certifi" into the Windows local machine Trusted RootCA store. To do so, first download and convert the certifi cabundle (https://certifi.io) to a pfx container, i.e. with something like: wget -O certs.pem https://mkcert.org/generate/ openssl pkcs12 -export -nokeys -out certs.pfx -in certs.pem Then import the pfx via the certlm.msc GUI or the certutil.exe cmdline tool. This imports all certs at once. This can also be centralized for a larger number of machines via an Active Directory Group Policy (Local Machine -> Windows Settings -> Security Settings -> PKI). This isn't ideal as it puts the admin into the responsibility to update the certstore/GPO whenever there's a change in the certifi cabundle, but works well for me besides that.

quick addition: It looks like all recent Windows versions (Win8/Server 2012, Win8.1/Server 2012R2, Win10 (older versions)/Server 2016, Win10-1809/Server 2019 behave the same (= only very few RootCAs are pre-installed out of the box, additional ones are added on the fly when HTTPS requests are being made via the SCHANNEL api).


Possible workaround for Windows admins:

Import the RootCA certs from "certifi" into the Windows local machine Trusted RootCA store.

To do so, first download and convert the certifi cabundle (https://certifi.io) to a pfx container, i.e. with something like:

wget -O certs.pem https://mkcert.org/generate/
openssl pkcs12 -export -nokeys -out certs.pfx -in certs.pem

Then import the pfx via the certlm.msc GUI or the certutil.exe cmdline tool. This imports all certs at once. This can also be centralized for a larger number of machines via an Active Directory Group Policy (Local Machine -> Windows Settings -> Security Settings -> PKI).

This isn't ideal as it puts the admin into the responsibility to update the certstore/GPO whenever there's a change in the certifi cabundle, but works well for me besides that.

History
Date	User	Action	Args
2019-02-18 16:50:46	chris-k	set	recipients: + chris-k, paul.moore, christian.heimes, tim.golden, zach.ware, steve.dower
2019-02-18 16:50:46	chris-k	set	messageid: <1550508646.46.0.163565845406.issue36011@roundup.psfhosted.org>
2019-02-18 16:50:46	chris-k	link	issue36011 messages
2019-02-18 16:50:46	chris-k	create