This is an error programmers encounter while working on SSL modules. SSL certificates are an essential part of secure web browsing. Without an SSL certificate, your website cannot connect with most visitors’ browsers and/or operating systems.
Why you got the cannot set verify_mode to cert_none when check_hostname is enabled error?
SSL is a protocol used to encrypt data as it travels between two computers. However, if you’re using an old version of the protocol, then your website might not be protected by it.
If you want to ensure SSL protects your site and aren’t sure it was correctly configured, check the hostname. If a hostname is being used without an SSL certificate, it’s probably not protected by SSL.
So, lucidly, this error states that when verify_mode is set to cert_none and check_hostname, a parameter is enabled, we will encounter an error.
Usage of check_hostname parameter
This parameter checks whether a match exists between the hostname on the certificate and the server hostname. If a match doesn’t exist, you must do a network security check. So usually, one should not disable the check_hostname parameter.
Fixing the error
Disable hostname parameter
To fix the error, one thing is sure. You have to disable the check_hostname parameter value. Thus, make it false. This is because when the hostname was being checked, i.e., the value of check_hostname was True, you received an error. You can disable the hostname in this way:
import ssl
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
Or, in any way, just set check_hostname as false.
However, this is a bit risky. Opt for this only when you have a local environment. Otherwise, disabling hostname checking will be hazardous for the system. It can make the system vulnerable to malware. MITM attacks are widespread. So this is not considered to be a safe approach.
Set value for verify mode(not cert_none)
The second approach is to enable verification of the certificate. Of course, you will require the certificate, so set the value of verify_mode as CERT_REQUIRED or CERT_OPTIONAL. Besides this, SSL_CERT_FILE needs to have a valid certificate. For this purpose, you can use the local environment again. So, use the SSL certificate and enable hostname verification. This is a suggested approach to deal with the error.
myresponse = requests.get('https://abc.com', verify=True)
print(myresponse)
Or you may use :
import ssl
context = ssl.create_default_context()
context.check_hostname = True
context.verify_mode = ssl.CERT_OPTIONAL
The certificate is optional, and check_hostname is enabled. So hostname verification will be done. If verification is not completed, the request won’t display a failure state.
Fix error with pip-system-certs
pip-system-certs is a package that fetches the server’s default certificates. It manages pip and requests simultaneously. Both these tasks occur at the same time.
Regarding this error, if the hostname parameter is enabled and you are trying to fetch the SSL details, you will get this error. To resolve the error, try importing the certificates and necessary SSL-related details this way:
import ssl
ssl_context = ssl.create_default_context()
ssl_context.load_default_certs()
kwargs['ssl_context'] = ssl_context
Fix errors in requests
One can resolve the problem mentioned above with the requests module too. The requests module has to verify the parameter that checks server-side certifications. So, as per the second approach stated above, you may set this as False.
import requests
with open(file_name, 'wb') as f:
resp = requests.get(url_string, verify=False)
f.write(resp.content)
You can use the pip command to work with requests too.
pip install requests
Using cloudscraper to fix this error
To disable the security check, you can use this code. However, this makes the network less secure, so removing the certificate requirement is not suggested. The ssl._create_unverified_context() does this job. Now, no verification of the certificate is required. When we use create_default_context() with SSL, it creates a secure connection which is not happening in this case as we used an unverified keyword.
import cloudscraper
import ssl
session = cloudscraper.CloudScraper(
browser={
'browser': 'chrome',
'platform': 'windows',
'mobile': False },ssl_context=ssl._create_unverified_context()
)
How do SSL certificates work (httplib2)?
SSL Servers have found great use on HTTP servers. These ensure security for the user’s network. This certificate is issued by a certified certificate authority only. The browser checks who has given the certificate, i.e., the name of the certificate authority, when it gets a request on the server.
It is also possible that the user has created his own custom SSL certificate. In that case, the browser won’t be able to match the certificate authority with its list of certificate-issuing authorities. So, in that case, you may be notified by the browser. It may say that certificate is invalid. Also, the data packet will transfer to the destination, but the browser tells the user that the connection may be prone to man-in-the-middle attacks/ MITM attacks.
How is an SSL certificate different from an IP address?
SSL certificates are digital certificates that identify the server which sent a request. The request can be a form submission or an email. As you might have guessed by their name, they’re used to secure communications between a client and a server. They are also used to verify the identity of your website’s visitors.
An IP address is a number that identifies your computer on the Internet. It has two parts: an autonomous system number (ASN) for identifying your organization and an internet protocol (IP) address for determining your specific computer on the Internet.
Removing one of these pieces from a certificate is no longer valid, and the browser will not load your site. We always recommend getting an IP address and a valid SSL certificate from a trusted provider. Knowing each piece is essential because it affects how well your site works if one part is missing or incorrect.
FAQs on cannot set verify_mode to cert_none when check_hostname is enabled
When the browser name issues in the certificate don’t match the browser, it results in a given error.
You can check the website’s address bar and SSL active connection details. It will have information about the expiry of the certificate too.
You may check the website URL to see whether the SSL certificate has been uploaded.
Conclusion
By the end of this article, you must have got a fair idea of the ‘cannot set verify_mode to cert_none when check_hostname is enabled’ error. Two ways were elaborated- disabling the check_hostname parameter and setting a certificate. The user should go for the second option out of these two, as it is safer. It ensures proper delivery of data packets while securing the connection. And that is what is desired.