那些遇到过的问题

openssl,python请求错误:"证书验证失败"

cha*_*dgh 21 python openssl python-requests

如果我从开发框中运行以下命令:

$ openssl s_client -connect github.com:443
Run Code Online (Sandbox Code Playgroud)

我得到以下最后一行输出:

Verify return code: 20 (unable to get local issuer certificate)
Run Code Online (Sandbox Code Playgroud)

如果我尝试使用请求执行此操作,则会收到另一个失败请求:

>>> import requests
>>> r = requests.get('https://github.com/', verify=True)
Run Code Online (Sandbox Code Playgroud)

提出异常:

SSLError: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Run Code Online (Sandbox Code Playgroud)

我还可以使用verify标志运行第一个命令并获得类似的输出:

$ openssl s_client -connect github.com:443 -verify 9
...
Verify return code: 27 (certificate not trusted)
Run Code Online (Sandbox Code Playgroud)

基本上这告诉我证书有问题.我可以使用这两种方法指定一个特定的证书,它将起作用:

$ openssl s_client -connect github.com:443 -CAfile /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -verify 9
...
Verify return code: 0 (ok)
Run Code Online (Sandbox Code Playgroud)

和:

>>> r = requests.get('https://github.com/', verify='/etc/ssl/certs/DigiCert...pem')
<Response [200]>
Run Code Online (Sandbox Code Playgroud)

那么,就我的问题而言,这究竟是什么问题?请求/ openssl不应该知道在哪里可以找到有效的证书吗?

其他信息:

  • Python的== 2.7.6
  • 请求== 2.2.1
  • openssl 0.9.8h

另外,我知道传递verify=False给该requests.get方法也会起作用,但我确实想验证.

编辑

我已经确认,正如@Heikki Toivonen在答案中指出的那样,为我正在运行的openssl版本指定-CAfile标志.

$ openssl s_client -connect github.com:443 -CAfile `python -c 'import requests; print(requests.certs.where())'`
...
Verify return code: 0 (ok)
Run Code Online (Sandbox Code Playgroud)

所以我正在运行的openssl版本没有任何问题,并且请求提供的默认cacert.pem文件没有任何问题.

既然我知道openssl意味着以这种方式工作,那么必须指定CA文件或查找证书的地方,我更关心的是获取请求.

如果我跑:

>>> r = requests.get('https://github.com/', verify='path to cacert.pem file')
Run Code Online (Sandbox Code Playgroud)

我仍然得到和以前一样的错误.我甚至尝试从http://curl.haxx.se/ca下载cacert.pem文件,但它仍然无效.如果我指定特定的供应商证书文件,请求似乎只在这个特定的机器上工作.

旁注:在我的本地机器上,一切都按预期工作.但是这两台机器之间有几点不同.到目前为止,我还无法确定导致此问题的具体差异.

jww*_*jww 18

如果我从开发框中运行以下命令:

$ openssl s_client -connect github.com:443
Run Code Online (Sandbox Code Playgroud)

我得到以下最后一行输出:

Verify return code: 20 (unable to get local issuer certificate)
Run Code Online (Sandbox Code Playgroud)

你缺少DigiCert High Assurance EV CA-1信任的根源:

$ openssl s_client -connect github.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
...
Start Time: 1393392088
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Run Code Online (Sandbox Code Playgroud)

DigiCert High Assurance EV CA-1DigiCert Trusted Root Authority证书下载:

$ wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
--2014-02-26 00:27:50--  https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
Resolving www.digicert.com (www.digicert.com)... 64.78.193.234
...
Run Code Online (Sandbox Code Playgroud)

将DER编码的证书转换为PEM:

$ openssl x509 -in DigiCertHighAssuranceEVCA-1.crt -inform DER -out DigiCertHighAssuranceEVCA-1.pem -outform PEM
Run Code Online (Sandbox Code Playgroud)

然后,通过以下方法将它与OpenSSL一起使用-CAfile:

$ openssl s_client -CAfile DigiCertHighAssuranceEVCA-1.pem -connect github.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 5157550, street = 548 4th Street, postalCode = 94107, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
BgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVT
MRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQFEwc1MTU3NTUwMRcw
FQYDVQQJEw41NDggNHRoIFN0cmVldDEOMAwGA1UEERMFOTQxMDcxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
N058JXg6yYNtAheVeH1HqFWD7hPIGRqzPPFf/jsC4YX7EWarCV2fTEPwxyReKXIo
ztR1aE8kcimuOSj8341PTYNzdAxvEZun3WLe/+LrF+b/DL/ALTE71lmi8t2HSkh7
bTMRFE00nzI49sgZnfG2PcVG71ELisYz7UhhxB0XG718tmfpOc+lUoAK9OrNAgMB
AAGjggNUMIIDUDAfBgNVHSMEGDAWgBRMWMsl8EFPUvQoyIFDm6aooOaS5TAdBgNV
HQ4EFgQUh9GPGW7kh29TjHeRB1Dfo79VRyAwJQYDVR0RBB4wHIIKZ2l0aHViLmNv
bYIOd3d3LmdpdGh1Yi5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vY3JsMy5k
aWdpY2VydC5jb20vZXZjYTEtZzIuY3JsMCugKaAnhiVodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vZXZjYTEtZzIuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB
hv1sAgEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z
c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A
eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA
ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA
IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA
YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA
cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA
aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA
ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMH0G
CCsGAQUFBwEBBHEwbzAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
Y29tMEcGCCsGAQUFBzAChjtodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln
aUNlcnRIaWdoQXNzdXJhbmNlRVZDQS0xLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBQUAA4IBAQBfFW1nwzrVo94WnEUzJtU9yRZ0NMqHSBsUkG31q0eGufW4
4wFFZWjuqRJ1n3Ym7xF8fTjP3fdKGQnxIHKSsE0nuuh/XbQX5DpBJknHdGFoLwY8
xZ9JPI57vgvzLo8+fwHyZp3Vm/o5IYLEQViSo+nlOSUQ8YAVqu6KcsP/e612UiqS
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
---
No client certificate CA names sent
---
SSL handshake has read 4139 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 59D2883BBCE8E81E63E5551FAE7D1ACC00C49A9473C1618237BBBB0DD9016B8D
    Session-ID-ctx: 
    Master-Key: B6D2763FF29E77C67AD83296946A4D44CDBA4F37ED6F20BC27602F1B1A2D137FACDEAC862C11279C01095594F9776F79
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1393392673
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
Run Code Online (Sandbox Code Playgroud)

请求/ openssl不应该知道在哪里可以找到有效的证书吗?

不,OpenSSL默认不信任任何内容.它与浏览器的模型极为相反,默认情况下几乎所有东西都是可信任的.

 $ openssl s_client -connect github.com:443 -CAfile `python -c 'import requests; print(requests.certs.where())'`
 ...
 >>> r = requests.get('https://github.com/', verify='path to cacert.pem file')
Run Code Online (Sandbox Code Playgroud)

cacert.pem当您知道证明该站点公钥的CA时,为什么要信任数百个CA和从属CA(re :)?相信一个必需的根,而不是更多:DigiCert High Assurance EV CA-1.

信任一切 - 就像浏览器的模型一样 - 允许Comodo Hacker在Diginotar root被盗用时欺骗Gmail,Hotmail,Yahoo等证书.

ecs*_*eon 7

从请求2.4.0开始,作者建议使用certifi,它是根证书的集合.它有一个python包:

pip install certifi
Run Code Online (Sandbox Code Playgroud)

  • 澄清一下:对于 requests 2.4.0 及更高版本,如果安装了 certifi,requests 将自动使用它。您需要做的就是运行该 pip 命令并可能重新启动您的代码。 (2认同)

归档时间:

查看次数:

41776 次

最近记录:

10 年,2 月 前
相关归档
建议使用哪种Python内存分析器? 657
在python中将float转换为整数的最安全方法? 192
Python中的字符串到字典 106
为什么全球翻译锁定? 86
在Cygwin上安装Pip-3.2 83
为什么variable1 + = variable2比variable1 = variable1 + variable2快得多? 52
为什么数据库行元组中的整数后缀为'L'? 46
在工作进程启动之前将数据放入输入队列时,工作进程在requests.get()上崩溃 5
SSL3_READ_BYTES:tlsv1 警报内部错误、安全套接字、OpenSSL、C++、获取 HTTPS 页面 4
生成ssl证书时出错 2
难疑归档
可以在JSON中使用注释吗? 7104
Python有三元条件运算符吗? 5591
URI,URL和URN有什么区别? 4217
如何将空目录添加到Git存储库? 4039
HashMap和Hashtable之间的区别? 3604
如何退出Vim编辑器? 3558
如何生成随机字母数字字符串? 1679
JavaScript发布请求,如表单提交 1465
无法绑定到'ngModel',因为它不是'input'的已知属性 1173
Pythonic方式创建一个长多行字符串 1160