[Build Failure] Windows PyOpenSSL certificate load failure

XMLWordPrintableJSON

    • Type: Build Failure
    • Resolution: Fixed
    • Priority: Unknown
    • 4.17.0
    • Affects Version/s: None
    • Component/s: Tests, TLS/SSL
    • None
    • Python Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Name of Failure:

      FAILURE: cryptography.utils.CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography

      Link to task:

      https://spruce.mongodb.com/task/mongo_python_driver_pyopenssl_win64_test_standard_rapid_python3.11_sync_noauth_nossl_standalone_db6dad95beae6ad2b9b8b60b00d37a67810b743e_26_01_26_12_51_26/tests?execution=1&sorts=STATUS%3AASC

      Context of when and why the failure occurred:

      Introduced by the move to Windows 2022 in PYTHON-5697. System certs on Windows with PyOpenSSL is best-effort, so we should suppress this warning. We will have to handle whatever error cryptography ends up raising for this condition when they decide to do so.

      Stack trace:

      [2026/01/26 12:26:40.801] FAILURE: cryptography.utils.CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography. ()
[2026/01/26 12:26:40.801] self = <test.test_srv_polling.TestSrvPolling testMethod=test_srv_waits_to_poll>
[2026/01/26 12:26:40.801]     def test_srv_waits_to_poll(self):
[2026/01/26 12:26:40.801]         modified = [("localhost.test.build.10gen.cc", 27019)]
[2026/01/26 12:26:40.801]     
[2026/01/26 12:26:40.801]         def resolver_response():
[2026/01/26 12:26:40.801]             return modified
[2026/01/26 12:26:40.801]     
[2026/01/26 12:26:40.801]         with SrvPollingKnobs(
[2026/01/26 12:26:40.801]             ttl_time=WAIT_TIME,
[2026/01/26 12:26:40.801]             min_srv_rescan_interval=WAIT_TIME,
[2026/01/26 12:26:40.801]             nodelist_callback=resolver_response,
[2026/01/26 12:26:40.801]         ):
[2026/01/26 12:26:40.801] >           client = self.simple_client(self.CONNECTION_STRING)
[2026/01/26 12:26:40.801]                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801] test\test_srv_polling.py:374: 
[2026/01/26 12:26:40.801] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
[2026/01/26 12:26:40.801] test\__init__.py:1119: in simple_client
[2026/01/26 12:26:40.801]     client = MongoClient(h, p, **kwargs)
[2026/01/26 12:26:40.801]              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801] pymongo\synchronous\mongo_client.py:891: in __init__
[2026/01/26 12:26:40.801]     self._get_topology()  # type: ignore[unused-coroutine]
[2026/01/26 12:26:40.801]     ^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801] pymongo\synchronous\mongo_client.py:1758: in _get_topology
[2026/01/26 12:26:40.801]     self._resolve_srv()
[2026/01/26 12:26:40.801] pymongo\synchronous\mongo_client.py:956: in _resolve_srv
[2026/01/26 12:26:40.801]     self._options = ClientOptions(
[2026/01/26 12:26:40.801] pymongo\client_options.py:222: in __init__
[2026/01/26 12:26:40.801]     self.__pool_options = _parse_pool_options(username, password, database, options, is_sync)
[2026/01/26 12:26:40.801]                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801] pymongo\client_options.py:173: in _parse_pool_options
[2026/01/26 12:26:40.801]     ssl_context, tls_allow_invalid_hostnames = _parse_ssl_options(options, is_sync)
[2026/01/26 12:26:40.801]                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801] pymongo\client_options.py:135: in _parse_ssl_options
[2026/01/26 12:26:40.801]     ctx = get_ssl_context(
[2026/01/26 12:26:40.801] pymongo\ssl_support.py:129: in get_ssl_context
[2026/01/26 12:26:40.801]     ctx.load_default_certs()
[2026/01/26 12:26:40.801] pymongo\pyopenssl_context.py:359: in load_default_certs
[2026/01/26 12:26:40.801]     self._load_wincerts(storename)
[2026/01/26 12:26:40.801] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
[2026/01/26 12:26:40.801] self = <pymongo.pyopenssl_context.SSLContext object at 0x00000223236683C0>
[2026/01/26 12:26:40.801] store = 'ROOT'
[2026/01/26 12:26:40.801]     def _load_wincerts(self, store: str) -> None:
[2026/01/26 12:26:40.801]         """Attempt to load CA certs from Windows trust store."""
[2026/01/26 12:26:40.801]         cert_store = self._ctx.get_cert_store()
[2026/01/26 12:26:40.801]         assert cert_store is not None
[2026/01/26 12:26:40.801]         oid = _stdlibssl.Purpose.SERVER_AUTH.oid
[2026/01/26 12:26:40.801]     
[2026/01/26 12:26:40.801]         for cert, encoding, trust in _stdlibssl.enum_certificates(store):  # type: ignore
[2026/01/26 12:26:40.801]             if encoding == "x509_asn":
[2026/01/26 12:26:40.801]                 if trust is True or oid in trust:
[2026/01/26 12:26:40.801]                     cert_store.add_cert(
[2026/01/26 12:26:40.801] >                       _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert))
[2026/01/26 12:26:40.801]                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[2026/01/26 12:26:40.801]                     )
[2026/01/26 12:26:40.801] E                   cryptography.utils.CryptographyDeprecationWarning: Parsed a serial number which wasn't positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography.
[2026/01/26 12:26:40.801] pymongo\pyopenssl_context.py:348: CryptographyDeprecationWarning

            Assignee:
            Steve Silvester
            Reporter:
            Steve Silvester
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: