Skip to content

VERIFY_X509_STRICT leads to Auth error "certificate verify failed: Basic Constraints of CA cert not marked critical" #1567

Description

I have a local keycloak instance with a certificate deployed with my custom CA. This CA and the certificate were created by EasyRSA.
Using this lib to authenticate I get this error in netbox:

Connection error: HTTPSConnectionPool(host='keycloak.domain.com', port=443): Max retries exceeded with url: /realms/master/protocol/openid-connect/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1029)')))

It seems like Python 3.13 with VERIFY_X509_STRICT set requires a new flag for the CA: its basic constraint must be marked critical.

Is there a flag so we can disable this strict check and just do a "basic" check? Or do we have to disable the SSL verification completely?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions