如何信任 setuptools 的证书 [英] How to trust certificates for setuptools

问题描述

为了使用 setuptools Python v3.6.x 从我的 Nexus 存储库下载工件，我很难弄清楚如何让我的根 CA 和中间 CA 获得信任.

I've had quite a hard time trying to figure out how to get my root CA and intermediate CA trusted in order to download artifacts from my Nexus repository using setuptools Python v3.6.x.

大多数(如果不是全部)与此相关的答案都建议绕过 SSL.这对我来说不是一个选择，而且是一个巨大的安全失误.此外，据我所知，setuptools 没有任何内置配置选项来允许此操作，而无需专门对其进行编码.

Most, if not all, of the answers in regards to this suggest bypassing SSL. This isn't an option for me, and a huge security misstep. Also, as far as I can tell, setuptools doesn't have any builtin configuration options to allow this without specifically coding for it.

推荐答案

免责声明:这就是我如何让它工作的.这并不是为了解决所有问题，我也不认为应该如此.恕我直言 setuptools 应该是可配置的，或者与它的工作方式不同.如果您有不同的解决方案，请发布它！

Disclaimer: this is just how I got this to work. This is not intended to be the end all be all solution, nor do I think it should be. IMHO setuptools should be configurable or work differently than it does. If you have a different solution, please post it!

这需要读取文件 ssl_support.py 中的 setuptools 代码.就我而言，我需要信任这两个证书.以下重要部分:

This took reading setuptools code in the file ssl_support.py. For my case I needed both certificates to be trusted. Important bits below:

#setuptools/ssl_support.py
...
cert_paths = """
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/usr/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root.crt
/etc/ssl/cert.pem
/System/Library/OpenSSL/certs/cert.pem
/usr/local/share/certs/ca-root-nss.crt
/etc/ssl/ca-bundle.pem
""".strip().split()
...
def find_ca_bundle():
    """Return an existing CA bundle path, or None"""
    extant_cert_paths = filter(os.path.isfile, cert_paths)
    return (
        get_win_certfile()
        or next(extant_cert_paths, None)
        or _certifi_where()
    )

文件路径的硬编码列表是现存的过滤顺序，并用作 urllib.request.build_opener 调用的参数来发出请求.您需要找到第一个 现存文件路径并将您的证书添加到该文件中.就我而言，它是 /etc/ssl/certs/ca-certificates.crt.

That hard-coded list of filepaths are extant filtered in order and used as an argument to a urllib.request.build_opener call to make the request. You need to find the first extant filepath and add your certificates to that file. In my case, it was /etc/ssl/certs/ca-certificates.crt.

这篇关于如何信任 setuptools 的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！