Python(pip)抛出[SSL:CERTIFICATE_VERIFY_FAILED],即使证书链已更新

2024-09-28 21:04:11 发布

您现在位置:Python中文网/ 问答频道 /正文
967 3

这是previous SO post的后续。

我使用的是Windows/cygwin,我需要python来理解一个定制的CA证书,因为网络基础设施用它自己的证书来重设所有SSL请求。

如果尝试运行pip search SimpleHTTPServer,将收到以下错误消息:

...
  File "c:\users\erbe\appdata\local\programs\python\python35-32\lib\ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

我已尝试通过执行以下操作将证书添加到受信任证书列表中:

  1. 将my.pem文件复制到/etc/pki/ca trust/source/anchors
  2. update-ca-trust extract

我已经验证了这一点,因为我现在可以指向生成的PEM文件并成功运行pip:pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer

$ pip --cert tls-ca-bundle.pem search SimpleHTTPServer
ComplexHTTPServer (0.1)      - A Multithreaded Python SimpleHTTPServer
SimpleTornadoServer (1.0)    - better SimpleHTTPServer using tornado
rangehttpserver (1.2.0)      - SimpleHTTPServer with support for Range requests

但是,我希望这样做,而不必每次都手动指定证书。我希望更新python使用的证书链:

$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')

我已经通过一系列符号链接验证了/usr/local/ssl/cert.pem指向同一个文件。但是,如果我执行pip,仍然会收到[SSL: CERTIFICATE_VERIFY_FAILED]错误消息。

我卸载了Windows版本的python,并重新安装了Cygwin版本的python。带着它,我跑easy_install-2.7 pip。现在,至少我可以使用完整的证书路径执行pip,而不会出现错误消息:

$ pip --cert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem search simpleHttpServer
LittleHTTPServer (0.5.0)     - Little bit extended SimpleHTTPServer
SimpleHTTP404Server (0.2.0)  - A Python SimpleHTTPServer, but serves 404.html if a page is not found.
django-localsrv (0.1.2)      - Django app for serving static content from different sources (files, strings, urls, etc.) at custom paths,

为了安全起见,我还尝试更新SSL证书目录varaible以指向/etc/pki/ca trust extracted/pem,并将SSL证书文件设置为/etc/pki/ca trust extracted/pem/tls-ca-bundle.pem,但这些都不起作用:

$ set | grep SSL
SSL_CERT_DIR=/etc/pki/ca-trust/extracted/pem
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', capath='/etc/pki/ca-trust/extracted/pem', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/ssl/certs')


$ pip search simpleHttpServer
Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  ...
  ...
  File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

我做错什么了?这是cygwin vs Windows的问题吗?我需要更新哪些PEM文件?


Tags: pipsslcertusretcpemca证书
0条回答

目前没有回答

相关问题 更多 >

    编程相关推荐