Why do I receive 'unable to get local issuer certificate (_ssl.c:997)'

Question

When sending a request to a specific URL I get an SSL error and I am not sure why. First please see the error message I am presented with:

requests.exceptions.SSLError: HTTPSConnectionPool(host='dicmedia.korean.go.kr', port=443): Max retries exceeded with url: /multimedia/naver/2016/40000/35000/14470_byeon-gyeong.wav (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

I searched unsuccessfully to different Stackoverflow questions for the last two days:

I already tried:

• https://github.com/Unbabel/COMET/issues/29 (This seems to be related with an internal update Python received relating to the use of specific SSL certificates (not an expert here)
• Downloading the certificate in question and directly linking to it with verify="private/etc/ssl/certs"

I am honestly at loss why I receive this error. As the error message itself indicates it seems that the server in question could get my local certificates somehow. The script worked until a week before. I did not update Python before then. Right now I use python 3.10.2 downloaded from the official website.

I don't want to set verify=False as this just skips the verification process and leaves me vulnerable as numerous people already pointed out at different questions. Besides that it really bothers me that I can't resolve the error.

Any help is much appreciated. See the specific request:

import requests

def request(url):
    response = requests.get(url, verify="/private/etc/ssl/certs")
    print(response)

request("https://dicmedia.korean.go.kr/multimedia/naver/2016/40000/35000/14470_byeon- 
gyeong.wav")

Answer 1

After a lot of googling I figured out the solution myself:

The problem - so it seems - was not all certificates needed where included in Pythons cacert.pem file. As I indicated in my question above to tackle this I downloaded the certifi module at first. As this didn't work out as well I suppose certifi missed the necessary certificates as well.

But I suppose not all certificates in the certificate where missing. As answers to similar questions indicated as well mostly what is missing is not the entire chain, but only the intermediate certificates.

After:

1. downloading the necessary certificates (see the lock symbol in your browser; if you're on OSX you need to drag and drop the big images of the certificates to your finder or desktop etc.),

2. converting them to .perm files and bundling them together: cat first_cert.pem second_cert.pem > combined_cert.pem

and

3. providing the specific path of the bundled certificates as indicated in my question: verify="private/etc/ssl/certs (you may of course choose a different file path).

my request got accepted by the server.

I guess my mistake when trying this solution was that I didn't download the entire chain at first, but only the last certificate.

I really hope this helps someone else as a point of reference.

What I am still dying to know though, is why the error popped up in the first place. I didn't change my script at all and use it on a regular basis, but suddenly got presented with said error. Was the reason that the server I tried to reach change its certificates?

Apologies if my terminology is incorrect.