我已将自签名根 ca 证书安装到 debian 的 /usr/share/ca-certificates/local 并使用 sudo dpkg-reconfigure ca-certificates。此时 true | gnutls-cli mysite.local 很高兴,并且 true | openssl s_client -connect mysite.local:443 很高兴,但 python2 和 python3 requests 模块坚持认为它对证书不满意。
python2:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
python3
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 70, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 56, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/bin/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
python为什么会忽略系统ca-certificates bundle,如何集成?
最佳答案
来自 https://stackoverflow.com/a/33717517/1695680
要使 python 请求使用系统 ca-certificates 包,需要告诉它在自己的嵌入式包上使用它
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
Requests 在此处嵌入其 bundle ,以供引用:
/usr/local/lib/python2.7/site-packages/requests/cacert.pem
/usr/lib/python3/dist-packages/requests/cacert.pem
或者在较新的版本中使用附加包从以下位置获取证书: https://github.com/certifi/python-certifi
要验证从哪个文件加载证书,可以尝试:
Python 3.8.5 (default, Jul 28 2020, 12:59:40)
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'
关于Python 请求 - 如何使用系统 ca 证书(debian/ubuntu)?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/42982143/