Python使用系统SSL证书? [英] Python using system SSL certificates?
问题描述
我最近遇到了 Authorize.net SSL 证书失效问题 上周崩溃.
我终于能够让 curl 接受他们的证书:
$ curl -Iv https://secure.authorize.net...* SSL 证书验证正常....但是python仍然通过请求拒绝它:
<预><代码>>>>requests.get('https://secure.authorize.net', verify=True)...不安全平台警告在我的代码中:
文件/usr/lib/python2.7/ssl.py",第405行,在do_handshake中self._sslobj.do_handshake()SSLError: [Errno 1] _ssl.c:510: 错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败谁能告诉我为什么python似乎没有使用系统证书进行验证?关于修复的任何想法?
编辑
我正在使用 Ubuntu 并以这种方式安装证书:
sudo curl -o/usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer须藤更新-ca-证书运行后,curl 工作正常,但 python 仍然无法识别证书.
您没有提及您使用的操作系统或安装证书的位置,以使它们可用于 Curl.
我在我的系统上使用了 strace 来查看 Python 在哪里寻找证书.在我的 Fedora 系统上,Python 使用 /etc/pki/tls/certs/ca-bundle.crt,这是 Fedora、Red Hat 和类似系统上的标准位置.
在 Ubuntu 上,Python 正在查找 /etc/ssl/certs/ca-certificates.crt.
根据文档:
<块引用>您可以通过验证路径到带有证书的 CA_BUNDLE 文件受信任的 CA.这个受信任的 CA 列表也可以通过REQUESTS_CA_BUNDLE 环境变量.
...这样您就可以为您的应用程序提供与系统上安装的内容无关的 CA 证书列表.
更新
运行 openssl s_client -showcerts -connect secure.authorize.net:443 显示 *.authorize.net 证书是由Entrust Certification Authority - L1K"证书,由Entrust Root Certification Authority-G2"证书签发,由Entrust Root Certification Authority"证书签发.您安装为 entrust_ssl_ca.crt 的证书是Entrust.net 安全服务器证书颁发机构",即以上都不是".
我只想访问 http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ 并下载所有东西,但上面链中的顶级证书是这个.这是下载页面上列出的第二个证书.
I ran into the recent Authorize.net SSL certificate invalidation debacle last week.
I've been able to get curl to accept their certificate finally:
$ curl -Iv https://secure.authorize.net
...
* SSL certificate verify ok.
...
but python is still rejecting it with requests:
>>> requests.get('https://secure.authorize.net', verify=True)
...
InsecurePlatformWarning
and in my code:
File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Can anyone tell me why python doesn't seem to be using the system certificates for validation? Any ideas on a fix?
EDIT
I am using Ubuntu and installed the certificate this way:
sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates
after running this, curl worked properly, but python still didn't recognize the certificate.
You don't mention what OS you're using or where you installed the certificates to make them available to Curl.
I used strace on my system to see where Python is looking for certificates. On my Fedora system Python is using/etc/pki/tls/certs/ca-bundle.crt, which is the standard location on Fedora, Red Hat, and similar systems.
On Ubuntu, Python is looking in /etc/ssl/certs/ca-certificates.crt.
According to the documentation:
You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.
...so you could provide your application with a list of CA certificates that is independent of what is installed on the system.
Update
Running openssl s_client -showcerts -connect secure.authorize.net:443 shows that the *.authorize.net certificate is signed by the "Entrust Certification Authority - L1K" certificate, which is signed by the "Entrust Root Certification Authority - G2" certificate, which is signed by the "Entrust Root Certification Authority" certificate. The certificate you have installed as entrust_ssl_ca.crt is the "Entrust.net Secure Server Certification Authority", which is "none of the above".
I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything, but the top-level certificate in the above chain is this one. That's the second certificate listed on the downloads page.
这篇关于Python使用系统SSL证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
