Python SSL证书验证错误 [英] Python SSL certificate verify error

问题描述

我正在使用访问RESTful API的请求.一切似乎都正常.我可以进行身份​​验证，拉回会话令牌，甚至可以对我为API编写的类中的方法进行单元测试.然后我尝试运行我的代码.

首先，这是我打的电话.标头是与静态会话相关的项目，可在 init ()中设置.主体是根据文件中的数据动态构建的，并传递给此函数.所有数据均有效.

response = requests.post(url, headers=(Requestheader), data=json.dumps((Requestbody)))

运行代码时，它将使用我提供的元数据更新100多个记录.在项目150的某处，我得到以下信息:

ssl.SSLCertVerificationError:[SSL:CERTIFICATE_VERIFY_FAILED] 证书验证失败:证书中的自签名证书 链(_ssl.c:1045)

我的第一步是打电话给供应商，以了解他们的所有Web服务器是否都已正确签署证书，以证明它们负载均衡了我，并且我发现了配置错误的服务器.他们告诉我事实并非如此.

然后我在邮件中搜索了一下，发现有一个验证错误，所以我尝试了:

response = requests.post(url, headers=Requestheader, data=json.dumps(Requestbody), verify=False)

我知道这不是长期理想的方法，但是我想对其进行测试以查看行为是否相同.它做同样的事情.它运行了一段时间，并抛出了ssl错误.我以为verify = False的想法是不会检查.

供应商建议我检查所使用的URL，但这很好.我想如果有代理服务器或真正的中间人攻击导致问题，那么失败之前我不会看到很多次成功.我以为可能是会话超时，但是应该抛出401状态，并且我的活动水平对于非活动超时来说太高了.

我是python noob，不是安全专家.建议表示赞赏.

解决方案

所以我认为该问题可能具有三个解决方案:

1. 证书没问题，代码有问题.例如，在使用此解决方案

   但是我真的不认为这是您的情况，因为在您提供的代码段中，没有使用任何此类方法.对于接下来的两个变体，您需要获取导致错误的URL并浏览其证书(可以通过浏览器完成).

2. 证书是可以的，但是对它进行签名的证书颁发机构不包括在请求库使用的CA列表中.打开令人困扰的URL后，请检查其中的CA，以查看其日期是否有效，并包含在 StackOverflow问题的答案中所述. /p>

3. 证书无效或为自发证书.与2中相同的解决方案.

一般的解决方案是将脚本包装在try except子句中，并打印出所有会导致错误的URL.然后尝试通过请求库一个接一个地请求它们，看看问题是否发生.如果是这样，则为(2)或(3)情况.如果不是，请尝试在另一台装有全新安装的python和请求的计算机上运行脚本.如果运行成功，则说明您的配置存在问题.

I'm using requests to access a RESTful API. Everything seems to work. I can authenticate, pull back a session token and even unit test the methods in my class I wrote for the API. Then I tried to run my code.

First, here is the call I'm making. The headers are static session-related items that get set in init(). The body is build dynamically from data in a file and passed in to this function. All of the data is valid.

response = requests.post(url, headers=(Requestheader), data=json.dumps((Requestbody)))

When I run the code, it updates well over 100 records with the metadata I supply. Somewhere around item 150 I get the following:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)

My first step was to call the vendor and find out if ALL of their web servers had properly signed certs figuring they were load balancing me and I found a misconfigured server. They tell me this is not the case.

Then I Googled the message and found that there is a verify kwarg, so I tried:

response = requests.post(url, headers=Requestheader, data=json.dumps(Requestbody), verify=False)

I know this isn't ideal long-term, but I wanted to test it to see if The behavior is the same. It did the same thing. It ran for a while and threw the ssl error. I thought the idea of verify=False is that it wouldn't check.

The vendor suggested I check the url I'm using, but it's fine. I would think if there were a proxy server or real man-in-the-middle attack causing problems I wouldn't see success so many times before a failure. I thought maybe it is a session timeout, but that should throw a 401 status and my activity level is too high for an inactivity timeout.

I'm a python noob and not a security professional. Suggestions appreciated.

解决方案

So the issue might have three resolutions as I see it:

1. A certificate is OK and there is something wrong with the code. The issue may occur, for example, while using prepared requests as described in this solution

   But I don't really think it is your case because in the snippet you've provided no such methods are used. For the two next variants, you'll need to get the URL that causes an error and explore it's certificate (can be done via browser).

2. A certificate is OK but a certificate authority that signed it is not included in CA list that is utilized by requests library. After you'll open a troubling URL, check CA in it and see if it's dates are valid and it is included in this list. If not, add CA in the trusted list for the requests library -- as explained in the answers to this StackOverflow question.

3. A certificate is not valid or self-singed. Same solution as in 2.

The general solution is to wrap your script in the try except clause and to print out all the URLs that will result in mistakes. Then try to request them one by one via requests library and see if the issue occurs. If it does, it's (2) or (3) case. If not — try to run script on another machine with fresh installed python and requests. If the run will be successful — then there's some issue in your configuration.

这篇关于Python SSL证书验证错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！