Christian Korneck <christ...@korneck.de> added the comment:
quick addition: It looks like all recent Windows versions (Win8/Server 2012, Win8.1/Server 2012R2, Win10 (older versions)/Server 2016, Win10-1809/Server 2019 behave the same (= only very few RootCAs are pre-installed out of the box, additional ones are added on the fly when HTTPS requests are being made via the SCHANNEL api). Possible workaround for Windows admins: Import the RootCA certs from "certifi" into the Windows local machine Trusted RootCA store. To do so, first download and convert the certifi cabundle (https://certifi.io) to a pfx container, i.e. with something like: wget -O certs.pem https://mkcert.org/generate/ openssl pkcs12 -export -nokeys -out certs.pfx -in certs.pem Then import the pfx via the certlm.msc GUI or the certutil.exe cmdline tool. This imports all certs at once. This can also be centralized for a larger number of machines via an Active Directory Group Policy (Local Machine -> Windows Settings -> Security Settings -> PKI). This isn't ideal as it puts the admin into the responsibility to update the certstore/GPO whenever there's a change in the certifi cabundle, but works well for me besides that. ---------- title: ssl - tls verify on Windows 10 fails -> ssl - tls verify on Windows fails _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue36011> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
