Python'requests'[SSL：CERTIFICATE_VERIFY_FAILED]证书验证失败（_ssl.c：590） [英] Python 'requests' [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

问题描述

在提供特定证书路径至验证选项时，验证HTTPS端点时出现问题;设置'verify'为true，但是：

I have a problem verifiying a HTTPS endpoint when providing a specific certificate path to the 'verify' option; setting 'verify' to true DOES work however:

import requests

def run_tests():
    url="https://www.google.com"
    certfilename="google.crt"
    generate_cert_file( certfilename )
    response = requests.get( url, verify=False )
    print "URL:%s, Verify=False. Result: %s"%(url, response.status_code )
    response = requests.get( url, verify=True )
    print "URL:%s, Verify=True. Result: %s"%(url, response.status_code )
    response = requests.get( url, verify=certfilename )
    print "URL:%s, Verify=%s. Result: %s"%(url, certfilename, response.status_code )

def generate_cert_file( filename ):
    cert_text=('''\
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIIxZ+YmNtB9AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjI1MzM5WhcNMTUxMjA4MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqH1dz
jOr385g9DXVZowTLkhjCoYGQ/zOLzslSFowYqZnlMiE7iZ8Vm9/iJfhStSMoA6gZ
87uqLENCi3NK+pk4+n1SIPRZS0jorb1jsyenMMy6Fxb9sQe3ndqZpWBtsW5ezW9t
7q5HWA1cNm1KSi2fmwZpDrSaN0TYQdFbRAz6cPf6J/P66qyEC7OInFgLsy4FDdp8
itpjCo/gnk2gz1vpWjiRYLCkz/dlFY3M3kR/s7YcJa7UP7BZ+QmmDfN3y4mxmEfn
Cg8rB25ZbD+oQ+Hua3/oMrx4r3lliou3yrD08/ABEqs16EEPX5wFHtI4CQYAUt5E
rEDl36bpvFD0QkfLAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQHiMS+8X3+WcfbMQymf9yX9XA1yDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAUvY5/JbZLfahjC4F
IZU0jVtGRBDa6tXLhCHAdwLHYLQdHn74oQ8Y1vxL0AYd7V2SBAgrDjCoK9bDQbQi
UZ7xwG9K2O75bS2qYc/OlZLJr0Gdfs71ZpQzlv14SGBXvwPuD6noj+hiZjqICd6t
3Rd5oIFiZvkhNDdN6Uag28rIfR8HECdlkbZNZeLZnyoIaxsprANvlEkY0wEbn1K9
kww3/SYKbdPJ8VQSUOtWgGsO1RPFaE4PP7hCg8Q062+mmCs0ZMQSvrzzv7JQsO5J
EkdG6691HdVA6z/rRGGX8E6assTnJLmVMxRayV+Do07KvywLONTInUWue8heHUSX
EHJZbg==
-----END CERTIFICATE-----\
''')
    with open(filename, "wb") as output:
        output.write(cert_text)

if __name__=='__main__':
   run_tests()

我在这里做错了吗？ （我嵌入了cert内联，使代码更容易运行，而不必提供一个单独的cert文件）

Am I doing something wrong here ? (I embedded the cert inline to make the code easier to run without having to provide a separate cert file)

我从git存储库获取请求历史中的最新版本TAG是V2.7.0，最新提交是46ff1a9a543cc4d33541aa64c94f50f0a698736e

I'm fetched 'requests' down from the git repository - the newest version TAG in the history is V2.7.0, and the latest commit is "46ff1a9a543cc4d33541aa64c94f50f0a698736e"

编辑：我实际上在这里有错误的证书（感谢Steffen Ullrich

I actually had the wrong certificate here (thanks Steffen Ullrich for pointing this out) : but I have now confirmed I have the correct cert/endpoint: and I get the same error.

我检索到了这样的证书：

I retrieved the cert like this:

openssl s_client -connect www.google.com:443

并将证书详细信息复制到python程序中。
这个问题实际上也发生在我自己的内部系统中 - 使用自签名证书（这是我真正的用例）。

And just copied the cert details into the python program. The issue is actually happening for my own in-house systems as well - using self-signed certs (which is my real use-case).

：'verify = True'选项实际上在哪里查找受信任的证书/ CA？ （在Java上，它将是'cacerts' - 不知道什么等效的Python /请求）。

Alternatively : where does the 'verify=True' option actually look for trusted certs/CAs ? (On Java it would be 'cacerts' - not sure what the equivalent here is for Python/requests ?).

我在这里的Windows平台。 p>

I'm on a Windows platform here.

推荐答案

您使用的证书仅适用于www.google.co.uk，但访问www.google.com。因此，证书根本不匹配。我不确定是否使用主机证书而不是发行者证书（即根CA或中间CA）将会工作。

You are using the certificate which is only valid for www.google.co.uk, but access www.google.com. Thus the certificate can not match at all. And I'm not sure if using the host certificate instead of an issuer certificate (i.e. root CA or intermediate CA) will work at all.

这篇关于Python'requests'[SSL：CERTIFICATE_VERIFY_FAILED]证书验证失败（_ssl.c：590）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！