如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store? [英] How to add a custom CA Root certificate to the CA Store used by pip in Windows?
问题描述
我刚刚从 python.org 安装了 Python3,但在使用 pip
安装软件包时遇到了问题.根据设计,这里的网络上有一个中间人数据包检查设备,它通过使用自己的证书重新签署所有 ssl 连接来检查所有数据包(包括 ssl).GPO 的一部分将自定义根证书推送到 Windows 密钥库中.
I just installed Python3 from python.org and am having trouble installing packages with pip
. By design, there is a man-in-the-middle packet inspection appliance on the network here that inspects all packets (ssl included) by resigning all ssl connections with its own certificate. Part of the GPO pushes the custom root certificate into the Windows Keystore.
在使用 Java 时,如果我需要访问任何外部 https 站点,我需要手动更新 JVM 中的 cacerts 以信任自签名 CA 证书.
When using Java, if I need to access any external https sites, I need to manually update the cacerts in the JVM to trust the Self-Signed CA certificate.
我如何为 python 做到这一点?现在,当我尝试使用 pip
安装软件包时,可以理解的是,我遇到了很棒的 [SSL: CERTIFICATE_VERIFY_FAILED]
错误.
How do I accomplish that for python? Right now, when I try to install packages using pip
, understandably, I get wonderful [SSL: CERTIFICATE_VERIFY_FAILED]
errors.
我意识到我可以使用 --trusted-host
参数忽略它们,但我不想对我尝试安装的每个包都这样做.
I realize I can ignore them using the --trusted-host
parameter, but I don't want to do that for every package I'm trying to install.
有没有办法更新 python 使用的 CA 证书存储?
Is there a way to update the CA Certificate store that python uses?
推荐答案
Self-Signed Certificate Authorities pip
/conda
在用 Git 广泛记录了一个类似的问题之后(如何让 git 接受自签名证书?),这里我们再次位于公司防火墙后面,代理给我们一个中间人攻击,我们应该信任和:
Self-Signed Certificate Authorities pip
/ conda
After extensively documenting a similar problem with Git (How can I make git accept a self signed certificate?), here we are again behind a corporate firewall with a proxy giving us a MitM "attack" that we should trust and:
切勿禁用所有 SSL 验证!
这会造成不良的安全文化.不要成为那种人.
This creates a bad security culture. Don't be that person.
tl;博士
pip config set global.cert path/to/ca-bundle.crt
pip config list
conda config --set ssl_verify path/to/ca-bundle.crt
conda config --show ssl_verify
# Bonus while we are here...
git config --global http.sslVerify true
git config --global http.sslCAInfo path/to/ca-bundle.crt
但是我们从哪里获得ca-bundle.crt
?
cURL 发布了与 Mozilla Firefox 捆绑的证书颁发机构的摘录
cURL publishes an extract of the Certificate Authorities bundled with Mozilla Firefox
https://curl.haxx.se/docs/caextract.html
我建议您在文本编辑器中打开这个 cacert.pem
文件,因为我们需要将我们的自签名 CA 添加到这个文件中.
I recommend you open up this cacert.pem
file in a text editor as we will need to add our self-signed CA to this file.
证书是符合 X.509 的文档,但可以通过几种方式将它们编码到磁盘.下面的文章是一个很好的阅读,但简短的版本是我们正在处理 base64 编码,它通常在文件扩展名中称为 PEM.您将看到它具有以下格式:
Certificates are a document complying with X.509 but they can be encoded to disk a few ways. The below article is a good read but the short version is that we are dealing with the base64 encoding which is often called PEM in the file extensions. You will see it has the format:
----BEGIN CERTIFICATE----
....
base64 encoded binary data
....
----END CERTIFICATE----
以下是有关如何获取我们的自签名证书的一些选项:
Below are a few options on how to get our self signed certificate:
- 通过 OpenSSL CLI
- 通过浏览器
- 通过 Python 脚本
echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem
通过浏览器获取我们的自签名证书颁发机构
- 获取您的 CA:https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
感谢这个答案和链接的博客,它显示了(在 Windows 上)如何查看证书,然后使用 base64 PEM 编码选项复制到文件的步骤.
Thanks to this answer and the linked blog, it shows steps (on Windows) how to view the certificate and then copy to file using the base64 PEM encoding option.
复制此导出文件的内容并将其粘贴到
cacerts.pem
文件的末尾.Copy the contents of this exported file and paste it at the end of your
cacerts.pem
file.为了一致性重命名这个文件
cacerts.pem
-->ca-bundle.crt
并将其放在容易的地方,例如:For consistency rename this file
cacerts.pem
-->ca-bundle.crt
and place it somewhere easy like:# Windows %USERPROFILE%certsca-bundle.crt # Linux/macOS $HOME/certs/cabundle.crt
通过 Python 获取我们的自签名证书颁发机构
感谢以下所有精彩回答:
Get our Self-Signed Certificate Authority via Python
Thanks to all the brilliant answers in:
我整理了以下内容以尝试更进一步.
I have put together the following to attempt to take it a step further.
https://github.com/neozenith/get-ca-py
在 pip 和 conda 中设置配置,以便它知道此 CA 存储与我们额外的自签名 CA 所在的位置.
Set the configuration in pip and conda so that it knows where this CA store resides with our extra self-signed CA.
# Windows pip config set global.cert %USERPROFILE%certsca-bundle.crt conda config --set ssl_verify %USERPROFILE%certsca-bundle.crt
或
# Linux / macOS pip config set global.cert $HOME/certs/ca-bundle.crt conda config --set ssl_verify $HOME/certs/ca-bundle.crt
然后
pip config list conda config --show ssl_verify # Hot tip: use -v to show where your pip config file is... pip config list -v # Example output for macOS and homebrew installed python For variant 'global', will try loading '/Library/Application Support/pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf' For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf' For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf'
问题排查
基于以下精彩评论
Troubleshooting
Based on a great comment below
我已经尝试过这个,但仍然得到一个
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败:无法获得本地颁发者证书 (_ssl.c:1123)'))
错误.有什么建议吗?I've tried this and still get a
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)'))
error. Any suggestions?这是故障排除指南:
这是证书颁发机构尚未正确设置时的正常错误消息.
This is the normal error message when the certificates authorities are not yet correctly setup.
可能需要检查多种因素:
It could be a variety of factors to check:
- 您的 ca-bundle.crt 的路径具有适用于您的操作系统的正确路径分隔符(它让我感到震惊),
- 您可能没有最新的 CA 来验证普通证书,
- 您可能没有以正确的编码添加 CA.
Python 正在有效地执行这 3 个步骤:
Python is effectively doing those 3 steps:
- 找到我的 CA 商店,
- 阅读所有条目,
- 在我的信任库中查找此证书.
如果其中任何一个失败,您会根据经验收到此错误消息.
If any of those fail you get this error message from experience.
检查从下面链接的这个答案以使用以下方法显示和检查您的
ssl_cert_dir
:>Check this answer linked from below to display and check your
ssl_cert_dir
using:python -c "import ssl; print(ssl.get_default_verify_paths())"
参考资料
- Pip SSL:https://pip.pypa.io/en/stable/用户指南/#configuration
- Conda SSL:https://stackoverflow.com/a/35804869/622276
- 获取您的 CA:https://stackoverflow.com/a/50486128/622276
- http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/
这篇关于如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!