Python请求SSL错误-证书验证失败 [英] Python requests SSL error - certificate verify failed

问题描述

此代码

导入请求requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")

给我这个错误

[SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败 (_ssl.c:777)

我几乎对 SSL 一无所知，但我已经尝试下载站点的证书并使用 verify 选项指向该文件，但没有奏效.我错过了什么吗?

解决方案

正如评论中已经指出的那样:从 SSLLabs 报告.本报告关于您的问题的主要部分是:

<块引用>

此服务器的证书链不完整.等级上限为 B.

这意味着服务器没有发送验证证书所需的完整证书链.这意味着您需要在验证时自己添加缺少的证书.为此，您需要为缺少的链证书包含 PEM OurelCer, Inc.=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA 以及根 CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA 信息文件 my_trust_store.pem 然后你可以调用:

requests.get("https://...", verify='my_trust_store.pem')

<块引用>

...但我已经尝试下载站点的证书并使用验证选项指向该文件

这不适用于普通叶证书.由于 Python 的 SSL 堆栈基于 OpenSSL 并且 OpenSSL 仅期望信任存储中的受信任证书颁发机构(即通过 verify 提供)并且服务器证书不是 CA 证书，因此将其添加到信托商店.

This code

import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")

is giving me this error

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)

I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?

解决方案

As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:

This server's certificate chain is incomplete. Grade capped to B.

This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:

requests.get("https://...", verify='my_trust_store.pem')

... but I've tried downloading the site's certificate and pointing to that file using the verify option

This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.

这篇关于Python请求SSL错误-证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！