如何使Python使用Mac OS TrustStore中的CA证书? [英] How to make Python use CA certificates from Mac OS TrustStore?
问题描述
我需要在公司Intranet上使用Curroot根证书,并将其加载到Mac OS TrustStore(KeyChain)中,才能解决所有浏览器和GUI应用程序的问题.
它似乎甚至可以与Mac OS X附带的curl版本一起使用,但不适用于python ,甚至与Mac OS 10.12 Sierra(Python 2.7.10)
不过,看来我会被:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
我该如何解决?
因为我在很多Python工具中都遇到了这个问题,如果我找到一种无需修补它们就可以避免的方法,我将不胜感激.
我自己不能提供自定义CA证书,因为我无法修补所使用的数十个Python工具.
大多数工具都使用requests库,但是有一些工具直接使用Python中的本机ssl支持.
如果将其他证书放在PEM捆绑文件中,则可以使用这两个环境变量来覆盖Python openssl和请求使用的默认证书存储.
SSL_CERT_FILE=/System/Library/OpenSSL/cert.pem
REQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem
请注意,此文件不存在,您需要自行构建.
I need to use curtom root certificates on the company intranet and loading them in the Mac OS TrustStore (KeyChain) does solve the problem for all browsers and GUI apps.
It seems that it works even with the version of curl that ships with Mac OS X but it doesn't work with python, even the version that ships with Mac OS 10.12 Sierra (Python 2.7.10)
Still, it seems that I would be hit by:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
How can I solve this?
Because I encounter this issue in lots and lots of Python tools I would really appreciate if I find a way to avoid it without having to patch them.
Providing the custom CA certificate myself is not an option because I cannot patch tens of Python tools that I use.
Most of the tools are using the requests library but there are a few that are using the native ssl support in Python directly.
If you put the additional certificates in a PEM bundle file you can use these two environment variables to overwrite the default cert stores used by Python openssl and requests.
SSL_CERT_FILE=/System/Library/OpenSSL/cert.pem
REQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem
Please note that this file does not exist, you need to build it yourself.
这篇关于如何使Python使用Mac OS TrustStore中的CA证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
