Community
Select to view content in your preferred language

Sign-In to Portal Via Python Script Creates SSL Error for Service Account

75
2
Monday
McKinneyPatrick_PA
by
Emerging Contributor
Monday

We recently updated the SSL certificate for our single-machine base deployment of ArcGIS Enterprise 11.1.  With my organizational user account, I can sign-in and access the Portal via a Python script from both my laptop, and logged onto the server.

However, whenever I am logged onto the Windows server with a service account (headless user), I get the following error when signing-in to the Portal.  Note, the same script is run.  The only difference is whom is logged into the server.

Does anyone have any ideas what might be causing this issue?  

2024-12-16 18:00:22,869 - signing into Portal…

2024-12-16 18:00:25,237 - Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /portal/sharing/rest/info?f=json

2024-12-16 18:00:31,236 - Failed at Line 40

2024-12-16 18:00:31,236 - Error: Please set verify_cert=False due to encountered SSL error: HTTPSConnectionPool(host='gis.health.pa.gov', port=443): Max retries exceeded with url: /portal/sharing/rest/info?f=json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

 

 

 

0 Kudos
2 Replies
A_Wyn_Jones
by Esri Contributor
Esri Contributor
Tuesday

Python has it's own certificate store which doesn't include your certificate by default. For best practice, you should add this certificate to the python store to ensure your python environment trusts your Portal Url.

You can do this using certifi, ssl and requests modules.

You can ignore these warnings within the python session with:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context()

It's less secure to ignore the warnings but will suppress these warnings for you.

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."
0 Kudos
JoshuaBixby
by MVP Esteemed Contributor
MVP Esteemed Contributor
Tuesday

It is true Python can be compiled to use its own certificate store, and it is true some packages like certifi do include their own certificate store by default, but Python made a decision over a decade ago to default to the system or host certificate store.

From PEP 476 – Enabling certificate verification by default for stdlib http clients | peps.python.org (which was accepted and applied to 3.4+ and 2.7.X+)

Trust database

This PEP proposes using the system-provided certificate database. Previous discussions have suggested bundling Mozilla’s certificate database and using that by default. This was decided against for several reasons...

Esri does not override Python's default for ssl, at least on Windows systems (I assume the same on Linux but haven't confirmed myself).  It may be possible the function the OP is calling does rely on a package containing its own certificate store, but without more specifics from the OP no one can say one way or the other.

0 Kudos