如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store? [英] How to add a custom CA Root certificate to the CA Store used by pip in Windows?

问题描述

我刚刚从 python.org 安装了 Python3，但在使用 pip 安装软件包时遇到了问题.根据设计，这里的网络上有一个中间人数据包检查设备，它通过使用自己的证书重新签署所有 ssl 连接来检查所有数据包(包括 ssl).GPO 的一部分将自定义根证书推送到 Windows 密钥库中.

I just installed Python3 from python.org and am having trouble installing packages with pip. By design, there is a man-in-the-middle packet inspection appliance on the network here that inspects all packets (ssl included) by resigning all ssl connections with its own certificate. Part of the GPO pushes the custom root certificate into the Windows Keystore.

在使用 Java 时，如果我需要访问任何外部 https 站点，我需要手动更新 JVM 中的 cacerts 以信任自签名 CA 证书.

When using Java, if I need to access any external https sites, I need to manually update the cacerts in the JVM to trust the Self-Signed CA certificate.

我如何为 python 做到这一点?现在，当我尝试使用 pip 安装软件包时，可以理解的是，我遇到了很棒的 [SSL: CERTIFICATE_VERIFY_FAILED] 错误.

How do I accomplish that for python? Right now, when I try to install packages using pip, understandably, I get wonderful [SSL: CERTIFICATE_VERIFY_FAILED] errors.

我意识到我可以使用 --trusted-host 参数忽略它们，但我不想对我尝试安装的每个包都这样做.

I realize I can ignore them using the --trusted-host parameter, but I don't want to do that for every package I'm trying to install.

有没有办法更新 python 使用的 CA 证书存储?

Is there a way to update the CA Certificate store that python uses?

推荐答案

Self-Signed Certificate Authorities pip/conda

在用 Git 广泛记录了一个类似的问题之后(如何让 git 接受自签名证书?)，这里我们再次位于公司防火墙后面，代理给我们一个中间人攻击，我们应该信任和:

Self-Signed Certificate Authorities pip / conda

After extensively documenting a similar problem with Git (How can I make git accept a self signed certificate?), here we are again behind a corporate firewall with a proxy giving us a MitM "attack" that we should trust and:

切勿禁用所有 SSL 验证！

这会造成不良的安全文化.不要成为那种人.

This creates a bad security culture. Don't be that person.

tl;博士

pip config set global.cert path/to/ca-bundle.crt
pip config list
conda config --set ssl_verify path/to/ca-bundle.crt
conda config --show ssl_verify

# Bonus while we are here...
git config --global http.sslVerify true
git config --global http.sslCAInfo path/to/ca-bundle.crt

但是我们从哪里获得ca-bundle.crt?

cURL 发布了与 Mozilla Firefox 捆绑的证书颁发机构的摘录

cURL publishes an extract of the Certificate Authorities bundled with Mozilla Firefox

https://curl.haxx.se/docs/caextract.html

• 直接下载
• SHA256

我建议您在文本编辑器中打开这个 cacert.pem 文件，因为我们需要将我们的自签名 CA 添加到这个文件中.

I recommend you open up this cacert.pem file in a text editor as we will need to add our self-signed CA to this file.

证书是符合 X.509 的文档，但可以通过几种方式将它们编码到磁盘.下面的文章是一个很好的阅读，但简短的版本是我们正在处理 base64 编码，它通常在文件扩展名中称为 PEM.您将看到它具有以下格式:

Certificates are a document complying with X.509 but they can be encoded to disk a few ways. The below article is a good read but the short version is that we are dealing with the base64 encoding which is often called PEM in the file extensions. You will see it has the format:

----BEGIN CERTIFICATE----
....
base64 encoded binary data
....
----END CERTIFICATE----

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-转换它们

以下是有关如何获取我们的自签名证书的一些选项:

Below are a few options on how to get our self signed certificate:

• 通过 OpenSSL CLI
• 通过浏览器
• 通过 Python 脚本

https:///unix.stackexchange.com/questions/451207/how-to-trust-self-signed-certificate-in-curl-command-line/468360#468360

echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem

通过浏览器获取我们的自签名证书颁发机构

• 获取您的 CA:https://stackoverflow.com/a/50486128/622276
  • http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/

  感谢这个答案和链接的博客，它显示了(在 Windows 上)如何查看证书，然后使用 base64 PEM 编码选项复制到文件的步骤.

  Thanks to this answer and the linked blog, it shows steps (on Windows) how to view the certificate and then copy to file using the base64 PEM encoding option.

  复制此导出文件的内容并将其粘贴到 cacerts.pem 文件的末尾.

  Copy the contents of this exported file and paste it at the end of your cacerts.pem file.

  为了一致性重命名这个文件 cacerts.pem -->ca-bundle.crt 并将其放在容易的地方，例如:

  For consistency rename this file cacerts.pem --> ca-bundle.crt and place it somewhere easy like:

  # Windows
  %USERPROFILE%certsca-bundle.crt
  
  # Linux/macOS
  $HOME/certs/cabundle.crt
  

  通过 Python 获取我们的自签名证书颁发机构

  感谢以下所有精彩回答:

  Get our Self-Signed Certificate Authority via Python

  Thanks to all the brilliant answers in:

  如何从请求中获取响应 SSL 证书蟒蛇?

  我整理了以下内容以尝试更进一步.

  I have put together the following to attempt to take it a step further.

  https://github.com/neozenith/get-ca-py

  在 pip 和 conda 中设置配置，以便它知道此 CA 存储与我们额外的自签名 CA 所在的位置.

  Set the configuration in pip and conda so that it knows where this CA store resides with our extra self-signed CA.

  # Windows
  pip config set global.cert %USERPROFILE%certsca-bundle.crt
  conda config --set ssl_verify %USERPROFILE%certsca-bundle.crt
  

  或

  # Linux / macOS
  pip config set global.cert $HOME/certs/ca-bundle.crt
  conda config --set ssl_verify $HOME/certs/ca-bundle.crt
  

  然后

  pip config list
  conda config --show ssl_verify
  
  # Hot tip: use -v to show where your pip config file is...
  pip config list -v
  # Example output for macOS and homebrew installed python
  For variant 'global', will try loading '/Library/Application Support/pip/pip.conf'
  For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf'
  For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf'
  For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf'
  

  问题排查

  基于以下精彩评论

  Troubleshooting

  Based on a great comment below

  我已经尝试过这个，但仍然得到一个 SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败:无法获得本地颁发者证书 (_ssl.c:1123)')) 错误.有什么建议吗?

  I've tried this and still get a SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')) error. Any suggestions?

  这是故障排除指南:

  这是证书颁发机构尚未正确设置时的正常错误消息.

  This is the normal error message when the certificates authorities are not yet correctly setup.

  可能需要检查多种因素:

  It could be a variety of factors to check:

  • 您的 ca-bundle.crt 的路径具有适用于您的操作系统的正确路径分隔符(它让我感到震惊)，
  • 您可能没有最新的 CA 来验证普通证书，
  • 您可能没有以正确的编码添加 CA.

  Python 正在有效地执行这 3 个步骤:

  Python is effectively doing those 3 steps:

  • 找到我的 CA 商店，
  • 阅读所有条目，
  • 在我的信任库中查找此证书.

  如果其中任何一个失败，您会根据经验收到此错误消息.

  If any of those fail you get this error message from experience.

  检查从下面链接的这个答案以使用以下方法显示和检查您的ssl_cert_dir:

  Check this answer linked from below to display and check your ssl_cert_dir using:

  python -c "import ssl; print(ssl.get_default_verify_paths())"
  

  参考资料

  • Pip SSL:https://pip.pypa.io/en/stable/用户指南/#configuration
  • Conda SSL:https://stackoverflow.com/a/35804869/622276
  • 获取您的 CA:https://stackoverflow.com/a/50486128/622276
    • http://blog.majcica.com/2016/12/27/installing-self-signed-certificates-into-git-cert-store/

    这篇关于如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！