我已经在debian’s中安装了一个自签名的root ca cert/usr/share/ca- certificates/local并使用安装了它们sudo dpkg-reconfigure ca-certificates。在这一点上true | gnutls-cli mysite.local很高兴,也true | openssl s_client -connect mysite.local:443很高兴,但是python2和python3请求模块坚持认为对证书不满意。
/usr/share/ca- certificates/local
sudo dpkg-reconfigure ca-certificates
true | gnutls-cli mysite.local
true | openssl s_client -connect mysite.local:443
python2:
Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 70, in get return request('get', url, params=params, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send raise SSLError(e, request=request) requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
python3
Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 70, in get return request('get', url, params=params, **kwargs) File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/local/bin/python3.5/site-packages/requests/adapters.py", line 497, in send raise SSLError(e, request=request) requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
从http://codingdict.com/questions/664
为了使python请求使用系统ca-certificates捆绑包,需要告知它在其自己的嵌入式捆绑包上使用
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
请求将其捆绑包嵌入此处,以供参考:
/usr/local/lib/python2.7/site-packages/requests/cacert.pem /usr/lib/python3/dist-packages/requests/cacert.pem
或在较新版本中,使用其他软件包从以下位置获取证书:https : //github.com/certifi/python-certifi
要验证从哪个文件证书加载,可以尝试:
Python 3.8.5 (default, Jul 28 2020, 12:59:40) >>> import certifi >>> certifi.where() '/etc/ssl/certs/ca-certificates.crt'
