我正在尝试通过 https 连接到使用非官方 CA 的网站。由于某种原因,它可以与curl一起使用,但不能与python请求一起使用。
请参阅下面的示例
Python 3.8.0 (default, Oct 30 2019, 11:47:54)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.9.0 -- An enhanced Interactive Python. Type '?' for help.
In [1]: import requests
In [2]: requests.__version__
Out[2]: '2.22.0'
In [3]: cert = "..."
In [4]: url = "..."
In [5]: !curl --cacert {cert} {url}
{"status":200}
In [6]: requests.get(url,verify=cert)
---------------------------------------------------------------------------
SSLCertVerificationError Traceback (most recent call last)
...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
MaxRetryError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
During handling of the above exception, another exception occurred:
SSLError Traceback (most recent call last)
...
SSLError: HTTPSConnectionPool(host='...', port=443): Max retries exceeded with url: ... (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1108)')))
我做错了什么?为什么它的行为不同?
--编辑--
curl 肯定正在使用此证书,没有它,curl 就会失败
In [9]: !curl {url}
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
...
In [10]:
最佳答案
... it's an intermediate CA
仅在信任存储中拥有中间 CA 不足以验证证书,至少对于当前版本的 Python 来说是这样。此功能需要使用 OpenSSL 标志 X509_V_FLAG_PARTIAL_CHAIN 进行验证,即 neither currently exposed by Python也不默认设置。
与此旋度相反sets this flag by default在较新的版本中,因此可以工作。
关于python - curl --cacert 与 python 请求验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64219172/