如何让 Python 使用来自 Mac OS TrustStore 的 CA 证书? [英] How to make Python use CA certificates from Mac OS TrustStore?
问题描述
我需要在公司内联网上使用 curtom 根证书并将它们加载到 Mac OS TrustStore (KeyChain) 中确实解决了所有浏览器和 GUI 应用程序的问题.
似乎它甚至适用于 Mac OS X 附带的 curl
版本,但它不适用于 python,即使是 Mac 附带的版本操作系统 10.12 Sierra (Python 2.7.10)
不过,似乎我会被打到:
urllib2.URLError:
我该如何解决这个问题?
因为我在很多 Python 工具中都遇到过这个问题,如果我能找到一种方法来避免它而无需修补它们,我会非常感激.
自己提供自定义 CA 证书不是一种选择,因为我无法修补我使用的数十种 Python 工具.
大多数工具都使用 requests
库,但也有一些工具直接使用 Python 中的原生 ssl 支持.
如果您将额外的证书放在 PEM 捆绑文件中,您可以使用这两个环境变量来覆盖 Python openssl 和 requests 使用的默认证书存储.
>
SSL_CERT_FILE=/System/Library/OpenSSL/cert.pemREQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem
请注意,此文件不存在,您需要自行构建.
I need to use curtom root certificates on the company intranet and loading them in the Mac OS TrustStore (KeyChain) does solve the problem for all browsers and GUI apps.
It seems that it works even with the version of curl
that ships with Mac OS X but it doesn't work with python, even the version that ships with Mac OS 10.12 Sierra (Python 2.7.10)
Still, it seems that I would be hit by:
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
How can I solve this?
Because I encounter this issue in lots and lots of Python tools I would really appreciate if I find a way to avoid it without having to patch them.
Providing the custom CA certificate myself is not an option because I cannot patch tens of Python tools that I use.
Most of the tools are using the requests
library but there are a few that are using the native ssl support in Python directly.
If you put the additional certificates in a PEM bundle file you can use these two environment variables to overwrite the default cert stores used by Python openssl and requests.
SSL_CERT_FILE=/System/Library/OpenSSL/cert.pem
REQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem
Please note that this file does not exist, you need to build it yourself.
这篇关于如何让 Python 使用来自 Mac OS TrustStore 的 CA 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!