如何将自定义CA Root证书添加到Windows中pip使用的CA Store? [英] How to add a custom CA Root certificate to the CA Store used by pip in Windows?
问题描述
我刚从python.org安装了Python3,但在使用pip安装软件包时遇到了问题.根据设计,这里的网络上有一个中间人数据包检查设备,该设备通过使用其自己的证书对所有ssl连接进行签名来检查所有数据包(包括ssl). GPO的一部分将自定义根证书推送到Windows密钥库中.
I just installed Python3 from python.org and am having trouble installing packages with pip. By design, there is a man-in-the-middle packet inspection appliance on the network here that inspects all packets (ssl included) by resigning all ssl connections with its own certificate. Part of the GPO pushes the custom root certificate into the Windows Keystore.
使用Java时,如果需要访问任何外部https网站,则需要手动更新JVM中的cacert以信任自签名CA证书.
When using Java, if I need to access any external https sites, I need to manually update the cacerts in the JVM to trust the Self-Signed CA certificate.
如何为python完成此操作?现在,当我尝试使用pip安装软件包时,可以理解的是,我得到了奇妙的[SSL: CERTIFICATE_VERIFY_FAILED]错误.
How do I accomplish that for python? Right now, when I try to install packages using pip, understandably, I get wonderful [SSL: CERTIFICATE_VERIFY_FAILED] errors.
我意识到我可以使用--trusted-host参数忽略它们,但是我不想为要安装的每个软件包都这样做.
I realize I can ignore them using the --trusted-host parameter, but I don't want to do that for every package I'm trying to install.
是否可以更新python使用的CA证书存储?
Is there a way to update the CA Certificate store that python uses?
推荐答案
自签名证书颁发机构pip/conda
广泛记录了Git的类似问题后(和:
Self-Signed Certificate Authorities pip / conda
After extensively documenting a similar problem with Git (How can I make git accept a self signed certificate?), here we are again behind a corporate firewall with a proxy giving us a MitM "attack" that we should trust and:
切勿禁用所有SSL验证!
这会创建不良的安全文化.不要那个人.
This creates a bad security culture. Don't be that person.
tl; dr
pip config set global.cert path/to/ca-bundle.crt
pip config list
conda config --set ssl_verify path/to/ca-bundle.crt
conda config --show ssl_verify
# Bonus while we are here...
git config --global http.sslVerify true
git config --global http.sslCAInfo path/to/ca-bundle.crt
但是我们从哪里得到ca-bundle.crt?
cURL发布与Mozilla Firefox捆绑在一起的证书颁发机构的摘录
cURL publishes an extract of the Certificate Authorities bundled with Mozilla Firefox
https://curl.haxx.se/docs/caextract.html
- Direct Download
- SHA256
我建议您在文本编辑器中打开此cacert.pem文件,因为我们需要将自签名CA添加到该文件中.
I recommend you open up this cacert.pem file in a text editor as we will need to add our self-signed CA to this file.
证书是符合X.509的文档,但可以通过几种方式将其编码到磁盘.下面的文章不错,但简短的版本是我们正在处理base64编码,该扩展在文件扩展名中通常称为PEM.您将看到它的格式:
Certificates are a document complying with X.509 but they can be encoded to disk a few ways. The below article is a good read but the short version is that we are dealing with the base64 encoding which is often called PEM in the file extensions. You will see it has the format:
----BEGIN CERTIFICATE----
....
base64 encoded binary data
....
----END CERTIFICATE----
Below are a few options on how to get our self signed certificate:
- 通过OpenSSL CLI
- 通过浏览器
- 通过Python脚本编写
echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem
通过浏览器获取我们的自签名证书颁发机构
- 获取您的CA: https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
- Acquiring your CA: https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
通过此答案和链接的博客,它显示了(在Windows上)如何查看证书,然后使用base64 PEM编码选项复制到文件的步骤.
Thanks to this answer and the linked blog, it shows steps (on Windows) how to view the certificate and then copy to file using the base64 PEM encoding option.
复制此导出文件的内容,并将其粘贴到
cacerts.pem文件的末尾.Copy the contents of this exported file and paste it at the end of your
cacerts.pemfile.为了保持一致,请重命名此文件
cacerts.pem->ca-bundle.crt并将其放置在简单的位置,例如:For consistency rename this file
cacerts.pem-->ca-bundle.crtand place it somewhere easy like:# Windows %USERPROFILE%\certs\ca-bundle.crt # or *nix $HOME/certs/cabundle.crt通过Python获取我们的自签名证书颁发机构
感谢以下所有出色的答案
Get our Self-Signed Certificate Authority via Python
Thanks to all the brilliant answers in:
我整理了以下内容,以尝试进一步发展.
I have put together the following to attempt to take it a step further.
https://github.com/neozenith/get-ca-py
在pip和conda中设置配置,以便它知道该CA存储与我们额外的自签名CA一起驻留的位置.
Set the configuration in pip and conda so that it knows where this CA store resides with our extra self-signed CA.
pip config set global.cert %USERPROFILE%\certs\ca-bundle.crt conda config --set ssl_verify %USERPROFILE%\certs\ca-bundle.crtOR
pip config set global.cert $HOME/certs/ca-bundle.crt conda config --set ssl_verify $HOME/certs/ca-bundle.crt之后
pip config list conda config --show ssl_verify # Hot tip: use -v to show where your pip config file is... pip config list -v # Example output for macOS and homebrew installed python For variant 'global', will try loading '/Library/Application Support/pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf' For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf'参考文献
- Pip SSL: https://pip.pypa.io/en/stable/user_guide/#configuration
- Conda SSL: https://stackoverflow.com/a/35804869/622276
- 获取您的CA: https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
- Pip SSL: https://pip.pypa.io/en/stable/user_guide/#configuration
- Conda SSL: https://stackoverflow.com/a/35804869/622276
- Acquiring your CA: https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
这篇关于如何将自定义CA Root证书添加到Windows中pip使用的CA Store?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
References
Get our Self-Signed Certificate Authority via Browser
