djangosslwindows-server-2012access-deniedcertificate-store

Access denied to windows certificate store in django application


I searched everywhere but seems like it is only my problem or everyone else using bypass which I don't want. So I'am getting access denied to windows certificate store. When I access from python cmd everything is ok. My site in IIS is set for Administrator credentials and application catalog also have Administrator rights. There is similar problem on stack and I had looked into it but my case seems different and I don't want to use unverified context for obvious reasons.

I'm stuck and don't understand what's going on. Any help?

(Windows server 2012 r2, django 1.8, python 2.7.9, IIS 8.5)

conn = httplib.HTTPSConnection(PAYPAL_LIVE_HOST, context=ssl._create_default_https_context())

    Traceback (most recent call last):
  File "c:\Python27\lib\site-packages\django\core\handlers\base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "c:\Python27\lib\site-packages\django\contrib\auth\decorators.py", line 22, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "C:\inetpub\vhosts\sgtmarkets.com\rails\SGTMarketsBO\website\views\finance\deposit.py", line 77, in paypal
    conn = httplib.HTTPSConnection(PAYPAL_LIVE_HOST, context=ssl._create_default_https_context())
  File "c:\Python27\lib\ssl.py", line 427, in create_default_context
    context.load_default_certs(purpose)
  File "c:\Python27\lib\ssl.py", line 378, in load_default_certs
    self._load_windows_store_certs(storename, purpose)
  File "c:\Python27\lib\ssl.py", line 365, in _load_windows_store_certs
    for cert, encoding, trust in enum_certificates(storename):
WindowsError: [Error 5] Access is denied

Solution

  • I know this is an old post, but I was able to solve this by going to Application Pools in IIS, selecting the application pool my Django app was running in, go to Advanced Settings, click the three dots button next to ApplicationPoolIdentity (at least that was the built-in account that was the default for me), and then change it to NetworkService account.