Quick Guide to Fix SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED error in Python

The SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED error suggests that the SSL certificate used by the server you’re trying to connect to has expired.

The best and most secure solution is to update the expired certificate with a new, valid one. This usually involves generating a new certificate and configuring the server to use it.

If you don’t control the server, you might need to contact the server administrator or the API provider to update their SSL certificate.

You can bypass SSL certificate verification in Python using the request module during development or testing. It is not recommended for production environments due to the security risks.

Verify the Certificate Expiry

First, we can use the openssl command to double-check if the certificate is expired or not.

• OpenSSL: Use the openssl command-line tool to check the validity of the server’s SSL certificate. Specifically, look for the notAfter field in the output. This will show you the expiration date of the certificate.
• Command:

openssl s_client -servername hostname -connect hostname:port 2>/dev/null | openssl x509 -noout -dates

• Replace:
  • hostname: with the server’s hostname (e.g., example.com).
  • port: with the port number used for the connection (usually 443 for HTTPS).
  •  servername:  this option is used for SNI (Server Name Indication) which is important for servers hosting multiple domains on the same IP address.
• Example:
  openssl s_client -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -noout -dates

Update the Server’s SSL Certificate

• The most appropriate and secure fix is to renew the SSL certificate on the server you are trying to access.
• Contact the server administrator to update the certificate.

Update Local Certificate Store

• Ensure that your local machine or the environment running the Python script has the latest SSL certificates.
• On Linux, you can update the certificates using your package manager (e.g., sudo apt-get update && sudo apt-get upgrade ca-certificates).
• For Python, ensure that the certifi package is up to date (pip install –upgrade certifi).

Use an Updated Version of Python

• Older versions of Python might not properly validate SSL certificates. Make sure you are using a recent version of Python.
• Use a virtual environment to test newer versions of Python if you cannot upgrade the system-wide Python installation.

Adjust Python Requests to bypass SSL verification (Not Recommended)

• As a last resort, and only for development or testing (not in production), you can bypass SSL verification in Python’s requests library. However, this is insecure and exposes you to man-in-the-middle attacks.
• To bypass SSL verification (not recommended), you can modify your requests call as follows:

  requests.get('https://example.com', verify=False)
  

• If using another HTTP client in Python, consult its documentation for similar options.

Handle SSL Certificate Expiration in Code

• If you specifically need to handle expired SSL certificates in your Python code (for example, if you’re writing a monitoring tool), you can catch the SSL exception and handle it appropriately.
• Example:

  import requests
  from requests.exceptions import SSLError
  try:
      response = requests.get('https://example.com')
  except SSLError as e:
      if 'certificate verify failed' in str(e):
          # Handle expired certificate case
          pass
      else:
          raise
  

Conclusion

The recommended approach is always to ensure that the SSL certificates are up to date, both on the server and the client side. Bypassing SSL verification should be a temporary measure used only in controlled development environments. Always prioritize maintaining secure communication channels in your applications.