<h2>自签名证书颁发机构<code>pip</code>/<code>conda</code></h2>
<p>在广泛记录了Git(<a href="https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate/41253757#41253757">How can I make git accept a self signed certificate?</a>)的一个类似问题之后,我们又在一个公司防火墙后面,一个代理给了我们一个我们应该信任的<em>MitM“攻击”</em>,并且:</p>
<blockquote>
<p><strong>NEVER disable all SSL verification!</strong></p>
<p>This creates a bad security culture. Don't be that person.</p>
</blockquote>
<h2>tl;博士</h2>
<pre class="lang-sh prettyprint-override"><code>pip config set global.cert path/to/ca-bundle.crt
pip config list
conda config --set ssl_verify path/to/ca-bundle.crt
conda config --show ssl_verify
# Bonus while we are here...
git config --global http.sslVerify true
git config --global http.sslCAInfo path/to/ca-bundle.crt
</code></pre>
<p>但是我们从哪里得到<code>ca-bundle.crt</code>?</p>
<hr/>
<h2>获取最新的CA包</h2>
<p>cURL发布了与Mozilla Firefox捆绑在一起的证书颁发机构的摘录</p>
<p><a href="https://curl.haxx.se/docs/caextract.html" rel="nofollow noreferrer">https://curl.haxx.se/docs/caextract.html</a></p>
<ul>
<li><a href="https://curl.haxx.se/ca/cacert.pem" rel="nofollow noreferrer">Direct Download</a></li>
<li><a href="https://curl.haxx.se/ca/cacert.pem.sha256" rel="nofollow noreferrer">SHA256</a></li>
</ul>
<p>我建议您在文本编辑器中打开这个<code>cacert.pem</code>文件,因为我们需要将自签名CA添加到此文件中。</p>
<p>证书是一个符合X.509的文档,但是它们可以通过几种方式编码到磁盘。下面的文章是一篇很好的读物,但简短的版本是,我们正在处理base64编码,在文件扩展名中通常称为PEM。您将看到它的格式:</p>
<pre><code>----BEGIN CERTIFICATE----
....
base64 encoded binary data
....
----END CERTIFICATE----
</code></pre>
<p><a href="https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them" rel="nofollow noreferrer">https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them</a></p>
<hr/>
<h2>获取我们的自签名证书</h2>
<p>以下是一些关于如何获取自签名证书的选项:</p>
<ul>
<li>通过OpenSSL CLI</li>
<li>通过浏览器</li>
<li>通过Python脚本</li>
</ul>
<h2>通过OpenSSL CLI获取我们的自签名证书</h2>
<p><a href="https://unix.stackexchange.com/questions/451207/how-to-trust-self-signed-certificate-in-curl-command-line/468360#468360">https://unix.stackexchange.com/questions/451207/how-to-trust-self-signed-certificate-in-curl-command-line/468360#468360</a></p>
<pre class="lang-sh prettyprint-override"><code>echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem
</code></pre>
<h2>通过浏览器获取我们的自签名证书授权</h2>
<ul>
<li>获取您的CA:<a href="https://stackoverflow.com/a/50486128/622276">https://stackoverflow.com/a/50486128/622276</a>
<ul>
<li><a href="http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/" rel="nofollow noreferrer">http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/</a></li>
</ul></li>
</ul>
<p>由于这个答案和链接的blog,它显示了(在Windows上)如何查看证书,然后使用base64 PEM编码选项复制到文件的步骤。</p>
<p>复制导出文件的内容并将其粘贴到<code>cacerts.pem</code>文件的末尾。</p>
<p>为了保持一致性,请重命名此文件<code>cacerts.pem</code>-->;<code>ca-bundle.crt</code>,并将其放置在以下位置:</p>
<pre class="lang-sh prettyprint-override"><code># Windows
%USERPROFILE%\certs\ca-bundle.crt
# or *nix
$HOME/certs/cabundle.crt
</code></pre>
<h2>通过Python获取我们的自签名证书授权</h2>
<p>感谢所有精彩的回答:</p>
<p><a href="https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python">How to get response SSL certificate from requests in python?</a></p>
<p>我把下面的内容放在一起,试图更进一步。</p>
<p><a href="https://github.com/neozenith/get-ca-py" rel="nofollow noreferrer">https://github.com/neozenith/get-ca-py</a></p>
<hr/>
<h2>最后</h2>
<p>在pip和conda中设置配置,以便它知道这个CA存储在我们额外的自签名CA中的位置</p>
<pre class="lang-sh prettyprint-override"><code>pip config set global.cert %USERPROFILE%\certs\ca-bundle.crt
conda config --set ssl_verify %USERPROFILE%\certs\ca-bundle.crt
</code></pre>
<p>或者</p>
<pre class="lang-sh prettyprint-override"><code>pip config set global.cert $HOME/certs/ca-bundle.crt
conda config --set ssl_verify $HOME/certs/ca-bundle.crt
</code></pre>
<p>那么</p>
<pre class="lang-sh prettyprint-override"><code>pip config list
conda config --show ssl_verify
# Hot tip: use -v to show where your pip config file is...
pip config list -v
# Example output for macOS and homebrew installed python
For variant 'global', will try loading '/Library/Application Support/pip/pip.conf'
For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf'
For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf'
For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf'
</code></pre>
<h3>参考文献</h3>
<ul>
<li>Pip SSL:<a href="https://pip.pypa.io/en/stable/user_guide/#configuration" rel="nofollow noreferrer">https://pip.pypa.io/en/stable/user_guide/#configuration</a></li>
<li>条件SSL:<a href="https://stackoverflow.com/a/35804869/622276">https://stackoverflow.com/a/35804869/622276</a></li>
<li>获取您的CA:<a href="https://stackoverflow.com/a/50486128/622276">https://stackoverflow.com/a/50486128/622276</a>
<ul>
<li><a href="http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/" rel="nofollow noreferrer">http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/</a></li>
</ul></li>
<li>使用Python自动获取对等CA:<a href="https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python">How to get response SSL certificate from requests in python?</a></li>
</ul>