如何将自定义CA根证书添加到Windows中pip使用的CA存储？问题的回答

如何将自定义CA根证书添加到Windows中pip使用的CA存储？

回答此问题可获得 20 贡献值，回答如果被采纳可获得 50 分。

0 条评论
分类：Python问答

默认排序时间排序

1 个回答

匿名 1天前

　擅长：python、mysql、java

<h2>自签名证书颁发机构<code>pip</code>/<code>conda</code></h2> <p>在广泛记录了Git（<a href="https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate/41253757#41253757">How can I make git accept a self signed certificate?</a>）的一个类似问题之后，我们又在一个公司防火墙后面，一个代理给了我们一个我们应该信任的<em>MitM“攻击”</em>，并且：</p> <blockquote> <p><strong>NEVER disable all SSL verification!</strong></p> <p>This creates a bad security culture. Don't be that person.</p> </blockquote> <h2>tl；博士</h2> <pre class="lang-sh prettyprint-override"><code>pip config set global.cert path/to/ca-bundle.crt pip config list conda config --set ssl_verify path/to/ca-bundle.crt conda config --show ssl_verify # Bonus while we are here... git config --global http.sslVerify true git config --global http.sslCAInfo path/to/ca-bundle.crt </code></pre> <p>但是我们从哪里得到<code>ca-bundle.crt</code>？</p> <hr/> <h2>获取最新的CA包</h2> <p>cURL发布了与Mozilla Firefox捆绑在一起的证书颁发机构的摘录</p> <p><a href="https://curl.haxx.se/docs/caextract.html" rel="nofollow noreferrer">https://curl.haxx.se/docs/caextract.html</a></p> <ul> <li><a href="https://curl.haxx.se/ca/cacert.pem" rel="nofollow noreferrer">Direct Download</a></li> <li><a href="https://curl.haxx.se/ca/cacert.pem.sha256" rel="nofollow noreferrer">SHA256</a></li> </ul> <p>我建议您在文本编辑器中打开这个<code>cacert.pem</code>文件，因为我们需要将自签名CA添加到此文件中。</p> <p>证书是一个符合X.509的文档，但是它们可以通过几种方式编码到磁盘。下面的文章是一篇很好的读物，但简短的版本是，我们正在处理base64编码，在文件扩展名中通常称为PEM。您将看到它的格式：</p> <pre><code>----BEGIN CERTIFICATE---- .... base64 encoded binary data .... ----END CERTIFICATE---- </code></pre> <p><a href="https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them" rel="nofollow noreferrer">https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them</a></p> <hr/> <h2>获取我们的自签名证书</h2> <p>以下是一些关于如何获取自签名证书的选项：</p> <ul> <li>通过OpenSSL CLI</li> <li>通过浏览器</li> <li>通过Python脚本</li> </ul> <h2>通过OpenSSL CLI获取我们的自签名证书</h2> <p><a href="https://unix.stackexchange.com/questions/451207/how-to-trust-self-signed-certificate-in-curl-command-line/468360#468360">https://unix.stackexchange.com/questions/451207/how-to-trust-self-signed-certificate-in-curl-command-line/468360#468360</a></p> <pre class="lang-sh prettyprint-override"><code>echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem </code></pre> <h2>通过浏览器获取我们的自签名证书授权</h2> <ul> <li>获取您的CA:<a href="https://stackoverflow.com/a/50486128/622276">https://stackoverflow.com/a/50486128/622276</a> <ul> <li><a href="http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/" rel="nofollow noreferrer">http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/</a></li> </ul></li> </ul> <p>由于这个答案和链接的blog，它显示了（在Windows上）如何查看证书，然后使用base64 PEM编码选项复制到文件的步骤。</p> <p>复制导出文件的内容并将其粘贴到<code>cacerts.pem</code>文件的末尾。</p> <p>为了保持一致性，请重命名此文件<code>cacerts.pem</code>--&gt；<code>ca-bundle.crt</code>，并将其放置在以下位置：</p> <pre class="lang-sh prettyprint-override"><code># Windows %USERPROFILE%\certs\ca-bundle.crt # or *nix $HOME/certs/cabundle.crt </code></pre> <h2>通过Python获取我们的自签名证书授权</h2> <p>感谢所有精彩的回答：</p> <p><a href="https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python">How to get response SSL certificate from requests in python?</a></p> <p>我把下面的内容放在一起，试图更进一步。</p> <p><a href="https://github.com/neozenith/get-ca-py" rel="nofollow noreferrer">https://github.com/neozenith/get-ca-py</a></p> <hr/> <h2>最后</h2> <p>在pip和conda中设置配置，以便它知道这个CA存储在我们额外的自签名CA中的位置</p> <pre class="lang-sh prettyprint-override"><code>pip config set global.cert %USERPROFILE%\certs\ca-bundle.crt conda config --set ssl_verify %USERPROFILE%\certs\ca-bundle.crt </code></pre> <p>或者</p> <pre class="lang-sh prettyprint-override"><code>pip config set global.cert $HOME/certs/ca-bundle.crt conda config --set ssl_verify $HOME/certs/ca-bundle.crt </code></pre> <p>那么</p> <pre class="lang-sh prettyprint-override"><code>pip config list conda config --show ssl_verify # Hot tip: use -v to show where your pip config file is... pip config list -v # Example output for macOS and homebrew installed python For variant 'global', will try loading '/Library/Application Support/pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf' For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf' </code></pre> <h3>参考文献</h3> <ul> <li>Pip SSL:<a href="https://pip.pypa.io/en/stable/user_guide/#configuration" rel="nofollow noreferrer">https://pip.pypa.io/en/stable/user_guide/#configuration</a></li> <li>条件SSL:<a href="https://stackoverflow.com/a/35804869/622276">https://stackoverflow.com/a/35804869/622276</a></li> <li>获取您的CA:<a href="https://stackoverflow.com/a/50486128/622276">https://stackoverflow.com/a/50486128/622276</a> <ul> <li><a href="http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/" rel="nofollow noreferrer">http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/</a></li> </ul></li> <li>使用Python自动获取对等CA:<a href="https://stackoverflow.com/questions/16903528/how-to-get-response-ssl-certificate-from-requests-in-python">How to get response SSL certificate from requests in python?</a></li> </ul>

如何将自定义CA根证书添加到Windows中pip使用的CA存储？

1 个回答

相关Python问题