This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 46%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
I'm working through the MS python tutorial on building a python app using the Graph api. However, when trying to retrieve a client token, I get an error stating the certificate for "login.microsoftonline.com" has expired? The exact error is:
ClientSecretCredential.get_token failed: Cannot connect to host login.microsoftonline.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997)')]
import asyncio
import configparser
from azure.identity.aio import ClientSecretCredential
# get credentials from config file
config = configparser.ConfigParser()
config.read(["config.cfg"])
settings = config["azure"]
# functions to get & display token
async def get_app_only_token(credentials):
graph_scope = "https://graph.microsoft.com/.default"
access_token = await credentials.get_token(graph_scope)
return access_token.token
# main function
async def main(conf):
client_id = conf["clientId"]
tenant_id = conf["tenantId"]
client_secret = conf["clientSecret"]
client_credential = ClientSecretCredential(tenant_id, client_id, client_secret)
client_token = await get_app_only_token(client_credential)
print("App-only token:", client_token, "\n")
# run it
asyncio.run(main(settings))
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 24%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
when did you register the app in the azure portal?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 9%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
I'm having the same issue, but creating a new Secret did not resolve the issue? Any other suggestions? Working through this tutorial: https://learn.microsoft.com/en-us/graph/tutorials/python-app-only?tabs=aad&tutorial-step=3
Your application's client secret has expired. You can create a new secret from the location where you created the Azure app registration. Go to the 'Certificates & Secrets' section, then create a new secret and update the application accordingly.
I hope this helps. If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hi awjekoon, thank you for trying to help. However, I was able to confirm that the issue is not related to the app registration; it is a problem with the SSL certificate chain used by msal library. For now, I'm working around it as follows:
# connect to MS365 Graph API (get access token headers)
with warnings.catch_warnings():
warnings.simplefilter("ignore")
application = ConfidentialClientApplication(
client_id=CONF["azure"]["client_id"],
client_credential=CONF["azure"]["client_secret"],
authority=f"https://login.microsoftonline.com/{CONF['azure']['tenant_id']}",
verify=False,
)
SCOPE = "https://graph.microsoft.com/.default"
result = application.acquire_token_for_client(scopes=[SCOPE])
access_token = result["access_token"]
headers = {
"Authorization": "Bearer " + access_token,
"Accept": "application/json",
"Content-Type": "application/json",
}
# Because of the SSL issue, we cannot use the MS Graph SDK for queries
# Construct direct URL API queries instead, and secure with certifi
# https://urllib3.readthedocs.io/en/1.26.x/user-guide.html#ssl
# use http.request() to make API calls
http = urllib3.PoolManager(cert_reqs="CERT_REQUIRED", ca_certs=certifi.where())
This still uses a secure connection to get the access token, but doesn't attempt to verify the certificate chain. Afterwards, I manually construct the API query (url) and execute it using the http pool, which does succeed with full SSL protection using the certificate chain from certifi. A bit tedious, but it works.
(double post - deleted)