使用系统SSL证书的Python? [英] Python using system SSL certificates?
问题描述
I ran into the recent Authorize.net SSL certificate invalidation debacle last week.
我终于可以卷曲起来接受他们的证书了:
I've been able to get curl to accept their certificate finally:
$ curl -Iv https://secure.authorize.net
...
* SSL certificate verify ok.
...
但是python仍然拒绝它的请求:
but python is still rejecting it with requests:
>>> requests.get('https://secure.authorize.net', verify=True)
...
InsecurePlatformWarning
并在我的代码中:
File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
有人可以告诉我为什么python似乎没有使用系统证书进行验证吗?有任何解决办法吗?
Can anyone tell me why python doesn't seem to be using the system certificates for validation? Any ideas on a fix?
编辑
我正在使用Ubuntu,并通过以下方式安装了证书:
I am using Ubuntu and installed the certificate this way:
sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates
运行此命令后,curl可以正常工作,但是python仍然无法识别证书.
after running this, curl worked properly, but python still didn't recognize the certificate.
推荐答案
您没有提及正在使用的操作系统或在何处安装了证书,以使其可用于Curl.
You don't mention what OS you're using or where you installed the certificates to make them available to Curl.
我在系统上使用了 strace 来查看Python在哪里寻找证书.在我的Fedora系统上,Python使用的是/etc/pki/tls/certs/ca-bundle.crt ,这是Fedora,Red Hat和类似系统上的标准位置.
I used strace on my system to see where Python is looking for certificates. On my Fedora system Python is using/etc/pki/tls/certs/ca-bundle.crt, which is the standard location on Fedora, Red Hat, and similar systems.
在Ubuntu上,Python正在查找/etc/ssl/certs/ca-certificates.crt .
On Ubuntu, Python is looking in /etc/ssl/certs/ca-certificates.crt.
根据文档:
您可以使用以下证书通过验证路径到CA_BUNDLE文件:受信任的CA.也可以通过以下方式指定此受信任的CA列表REQUESTS_CA_BUNDLE环境变量.
You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.
...因此您可以为您的应用程序提供独立于系统上安装的CA证书的列表.
...so you could provide your application with a list of CA certificates that is independent of what is installed on the system.
更新
运行 openssl s_client -showcerts -connect secure.authorize.net:443 显示 *.authorize.net 证书由"Entrust证书颁发机构-L1K"签名"证书,由委托根证书颁发机构-G2"证书签署,该证书由委托根证书颁发机构"证书签署.您作为 entrust_ssl_ca.crt 安装的证书是"Entrust.net安全服务器证书颁发机构",它不是以上所有".
Running openssl s_client -showcerts -connect secure.authorize.net:443 shows that the *.authorize.net certificate is signed by the "Entrust Certification Authority - L1K" certificate, which is signed by the "Entrust Root Certification Authority - G2" certificate, which is signed by the "Entrust Root Certification Authority" certificate. The certificate you have installed as entrust_ssl_ca.crt is the "Entrust.net Secure Server Certification Authority", which is "none of the above".
我只会访问 http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/并下载所有内容,但上述链中的顶级证书为
I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything, but the top-level certificate in the above chain is this one. That's the second certificate listed on the downloads page.
这篇关于使用系统SSL证书的Python?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
