Rapid7 HTTP Basic Authentication

An HTTP Authentication Attempt for API Access to InsightVM gives error.

username = "USER"
password = "PASSWORD"
debug = {'verbose': sys.stderr}
response  = requests.get(url, headers = header)

gives out

HTTPSConnectionPool(host='HOST', port=3780): Max retries exceeded with url: /api/3 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

If i disable verification in request , the Error Turns into

Could not find a suitable TLS CA certificate bundle, invalid path: b'I00\n'

I cant find a good documentation in Rapid7 for authenticating, It just says use basic authentication.

Any Advise on this please ?

Are you using an internal CA for your cert? It looks like you need to install the cert chain on the box you are running the script. But I can confirm that a Base64 encoded Basic auth header works.

1 Like

Here is an example for getting all of the sites below. I would suggest using something like Postman to help work through the API. The snippet you have above doesn’t look to be the full code though so I can’t fully understand what may have went wrong.

Our API documentation for the Authentication portion says it needs basic auth of the base64 encoded form of “username:password”

You can use CLI or online converters to convert literally the phrase “username:password” to base64 and then attach it in as shown in my script. Postman and other tools usually do this step for you.

Also keep in mind that my script is also disabling the SSL verification. As @brandon_mcclure mentioned, you can install the cert chain on the box you’re running the script from so that you don’t need to bypass the security warnings.


import requests
import urllib3

console_url = "Console IP:3780"
base64_cred = "Base 64 of credentials"

url = "https://"+console_url+"/api/3/sites"

headers = {
  'Accept': 'application/json;charset=UTF-8',
  'Authorization': 'Basic '+base64_cred

response = requests.request("GET", url, headers=headers, data=payload, verify=False)


Thanks @john_hartman , I see what I have been doing wrong. base64 encoding was the issue.

All Set now. Thanks !!!

Yes, Base64 worked. I overlooked that … , Thanks @brandon_mcclure

Thank you for sharing this script @john_hartman.

In case you don’t want to deal with b64, the package requests can do that for you, passing the parameter auth:

req = requests.get(url, data=data, auth=(username, password))