certificate verify failed: unable to get local issuer certificate . Why?

Question

Ran the following commands.

PS C:\Users\anups\Desktop\Cloud_AntiScalant> mkcert -install
Created a new local CA 💥
The local CA is now installed in the system trust store! ⚡️

PS C:\Users\anups\Desktop\Cloud_AntiScalant> mkcert localhost

Created a new certificate valid for the following names 📜
 - "localhost"

The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅

It will expire on 5 October 2024 🗓

Started the uvicorn server with the following command.

cls;uvicorn main:app --reload --host 127.0.0.1 --port=8000 --ssl-certfile="C:\Users\anups\Desktop\Cloud_AntiScalant\localhost.pem" --ssl-keyfile="C:\Users\anups\Desktop\Cloud_AntiScalant\localhost-key.pem"

I am able to open browser with https://127.0.0.1:8000 but it still shows that its unsecure and says certificate status says OK.

I am running the client app with the following code:

url = 'https://127.0.0.1:8000/'
r = requests.get(url)

I get the following error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=8000): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

I checked the certmgr.msc and I see the mkcert installed.

Any someone please help me?

Answer 1

Your certificate is valid for host localhost:

mkcert localhost

But you use to access the host by IP:

url = 'https://127.0.0.1:8000/'
r = requests.get(url)

This is the reason the software do not match your certificate. Try to use hostname:

url = 'https://localhost:8000/'   
r = requests.get(url)