Brew 3.6.1的Brew安装:[SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败

Question

我安装了python 3.6

brew install python3

并尝试six.moves.urllib.request.urlretrieve从https 下载文件,但它会引发错误

ssl.SSLError:[SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败(_ssl.c:749)

在Python安装(从.pkg)的,自述指示一个需要运行Install Certificates.command在安装后到

1. 安装 certifi
2. 符号链接路径的证书certify路径

能够使用证书.

但是,在brew安装中,此文件不存在,似乎不会运行.

Answer 1

看来,由于某种原因,Brew还没有运行Install Certificates.commandMac3的Python3包中的那个.此问题的解决方案是在以下脚本Install Certificates.command之后运行以下脚本(从中复制)brew install python3:

# install_certifi.py
#
# sample script to install or update a set of default Root Certificates
# for the ssl module.  Uses the certificates provided by the certifi package:
#       https://pypi.python.org/pypi/certifi

import os
import os.path
import ssl
import stat
import subprocess
import sys

STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
             | stat.S_IROTH |                stat.S_IXOTH )


def main():
    openssl_dir, openssl_cafile = os.path.split(
        ssl.get_default_verify_paths().openssl_cafile)

    print(" -- pip install --upgrade certifi")
    subprocess.check_call([sys.executable,
        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])

    import certifi

    # change working directory to the default SSL directory
    os.chdir(openssl_dir)
    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
    print(" -- removing any existing file or link")
    try:
        os.remove(openssl_cafile)
    except FileNotFoundError:
        pass
    print(" -- creating symlink to certifi certificate bundle")
    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
    print(" -- setting permissions")
    os.chmod(openssl_cafile, STAT_0o775)
    print(" -- update complete")

if __name__ == '__main__':
    main()

Answer 2

• 找出默认的cafile：

python -c 'import ssl; print(ssl.get_default_verify_paths().openssl_cafile)'

/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/cert.pem

sudo mkdir -p /Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/certs

• 找出ca文件 certifi

python -c 'import certifi; print(certifi.where())'

'/usr/local/lib/python3.7/site-packages/certifi/cacert.pem'

• 复制到

sudo cp /usr/local/lib/python3.7/site-packages/certifi/cacert.pem
/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/certs/cert.pem

Answer 3

我的Mac OS X解决方案：

1）使用从官方Python语言网站https://www.python.org/downloads/下载的本机应用程序Python安装程序升级到Python 3.6.5。

我发现该安装程序比新版自制程序更好地为新Python更新了链接和符号链接。

2）使用刷新的Python 3.6目录中的“ ./Install Certificates.command”安装新证书

cd“ / Applications / Python 3.6 /” sudo“ ./Install Certificates.command”

Answer 4

暂时，以下将禁用 ssl 检查，

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

Answer 5

如果你需要让你的本地根证书（例如）被python信任，你可以将它添加到文件local_RootCA.crt末尾：certifi/cacert.pem

cat local_RootCA.crt >> `python -c 'import certifi; print(certifi.where())'`

该解决方案也适用于 macos brew python 3 安装。