Python (pip) 抛出 [SSL: CERTIFICATE_VERIFY_FAILED] 即使证书链已更新
Python (pip) throwing [SSL: CERTIFICATE_VERIFY_FAILED] even if certificate chain updated
这是 previous SO post 的后续。
我正在使用 Windows/cygwin,我需要 python 来了解自定义 CA 证书,因为网络基础设施会用自己的证书重新提出所有 SSL 请求。
如果我尝试 运行 pip search SimpleHTTPServer,我会收到以下错误消息:
...
File "c:\users\erbe\appdata\local\programs\python\python35-32\lib\ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
我已尝试通过执行以下操作将证书添加到我的受信任证书列表中:
- 将我的 .pem 文件复制到 /etc/pki/ca-trust/source/anchors
update-ca-trust extract
我已经验证这是有效的,因为我现在可以指向生成的 PEM 文件并且 运行 pip 成功:pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer:
$ pip --cert tls-ca-bundle.pem search SimpleHTTPServer
ComplexHTTPServer (0.1) - A Multithreaded Python SimpleHTTPServer
SimpleTornadoServer (1.0) - better SimpleHTTPServer using tornado
rangehttpserver (1.2.0) - SimpleHTTPServer with support for Range requests
但是,我希望它能够工作而不必每次都手动指定证书。我希望更新 python 使用的证书链:
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
我已经通过一系列符号链接验证 /usr/local/ssl/cert.pem 指向同一个文件。但是,如果我执行 pip,我仍然会收到 [SSL: CERTIFICATE_VERIFY_FAILED] 错误消息。
我卸载了python的Windows版本,重新安装了python的Cygwin版本。有了它,我运行easy_install-2.7 pip。现在至少我可以使用完整的证书路径执行 pip 而不会出现错误消息:
$ pip --cert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem search simpleHttpServer
LittleHTTPServer (0.5.0) - Little bit extended SimpleHTTPServer
SimpleHTTP404Server (0.2.0) - A Python SimpleHTTPServer, but serves 404.html if a page is not found.
django-localsrv (0.1.2) - Django app for serving static content from different sources (files, strings, urls, etc.) at custom paths,
为了安全起见,我还尝试更新 SSL_CERT_DIR 变量以指向 /etc/pki/ca-trust-extracted/pem 并将 SSL_CERT_FILE 设置为 /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem 但这些不起作用:
$ set | grep SSL
SSL_CERT_DIR=/etc/pki/ca-trust/extracted/pem
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', capath='/etc/pki/ca-trust/extracted/pem', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/ssl/certs')
$ pip search simpleHttpServer
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
...
...
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
我做错了什么?这是 cygwin 与 Windows 的问题吗?我需要更新哪些 PEM 文件?
您可以将 pip 命令行选项默认添加到其配置文件中。在 windows 中,它应该位于 %APPDATA%\pip\pip.ini.
下
要添加证书,请将以下行放入文件中:
[global]
cert = windows path to your certificate
这是 previous SO post 的后续。
我正在使用 Windows/cygwin,我需要 python 来了解自定义 CA 证书,因为网络基础设施会用自己的证书重新提出所有 SSL 请求。
如果我尝试 运行 pip search SimpleHTTPServer,我会收到以下错误消息:
...
File "c:\users\erbe\appdata\local\programs\python\python35-32\lib\ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
我已尝试通过执行以下操作将证书添加到我的受信任证书列表中:
- 将我的 .pem 文件复制到 /etc/pki/ca-trust/source/anchors
update-ca-trust extract
我已经验证这是有效的,因为我现在可以指向生成的 PEM 文件并且 运行 pip 成功:pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer:
$ pip --cert tls-ca-bundle.pem search SimpleHTTPServer
ComplexHTTPServer (0.1) - A Multithreaded Python SimpleHTTPServer
SimpleTornadoServer (1.0) - better SimpleHTTPServer using tornado
rangehttpserver (1.2.0) - SimpleHTTPServer with support for Range requests
但是,我希望它能够工作而不必每次都手动指定证书。我希望更新 python 使用的证书链:
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
我已经通过一系列符号链接验证 /usr/local/ssl/cert.pem 指向同一个文件。但是,如果我执行 pip,我仍然会收到 [SSL: CERTIFICATE_VERIFY_FAILED] 错误消息。
我卸载了python的Windows版本,重新安装了python的Cygwin版本。有了它,我运行easy_install-2.7 pip。现在至少我可以使用完整的证书路径执行 pip 而不会出现错误消息:
$ pip --cert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem search simpleHttpServer
LittleHTTPServer (0.5.0) - Little bit extended SimpleHTTPServer
SimpleHTTP404Server (0.2.0) - A Python SimpleHTTPServer, but serves 404.html if a page is not found.
django-localsrv (0.1.2) - Django app for serving static content from different sources (files, strings, urls, etc.) at custom paths,
为了安全起见,我还尝试更新 SSL_CERT_DIR 变量以指向 /etc/pki/ca-trust-extracted/pem 并将 SSL_CERT_FILE 设置为 /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem 但这些不起作用:
$ set | grep SSL
SSL_CERT_DIR=/etc/pki/ca-trust/extracted/pem
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', capath='/etc/pki/ca-trust/extracted/pem', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/ssl/certs')
$ pip search simpleHttpServer
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
...
...
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
我做错了什么?这是 cygwin 与 Windows 的问题吗?我需要更新哪些 PEM 文件?
您可以将 pip 命令行选项默认添加到其配置文件中。在 windows 中,它应该位于 %APPDATA%\pip\pip.ini.
下要添加证书,请将以下行放入文件中:
[global]
cert = windows path to your certificate