Python 请求 - 如何使用系统 ca 证书(debian/ubuntu)? [英] Python Requests - How to use system ca-certificates (debian/ubuntu)?

问题描述

我已经在 debian 的 /usr/share/ca-certificates/local 中安装了一个自签名的根 ca 证书，并使用 sudo dpkg-reconfigure ca-certificates 安装它们>.此时 true |gnutls-cli mysite.local 很开心，true |openssl s_client -connect mysite.local:443 很高兴，但 python2 和 python3 requests 模块坚持认为它对证书不满意.

I've installed a self-signed root ca cert into debian's /usr/share/ca-certificates/local and installed them with sudo dpkg-reconfigure ca-certificates. At this point true | gnutls-cli mysite.local is happy, and true | openssl s_client -connect mysite.local:443 is happy, but python2 and python3 requests module insists it is not happy with the cert.

python2:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

python3

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

为什么python会忽略系统ca-certificates bundle，我该如何集成?

推荐答案

来自 https://stackoverflow.com/a/33717517/1695680

要使 python 请求使用系统 ca-certificates 包，需要告诉它在自己的嵌入式包上使用它

To make python requests use the system ca-certificates bundle, it needs to be told to use it over its own embedded bundle

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

---

Requests 在此处嵌入了它的包，以供参考:

---

Requests embeds its bundles here, for reference:

/usr/local/lib/python2.7/site-packages/requests/cacert.pem
/usr/lib/python3/dist-packages/requests/cacert.pem

或者在较新的版本中使用附加包从以下位置获取证书:https://github.com/certifi/python-certifi

Or in newer versions use additional package to obtain certificates from: https://github.com/certifi/python-certifi

要验证从哪个文件加载证书，您可以尝试:

To verify from which file certificates are loaded, you can try:

Python 3.8.5 (default, Jul 28 2020, 12:59:40) 
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'

这篇关于Python 请求 - 如何使用系统 ca 证书(debian/ubuntu)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！