即使证书链更新，Python（pip）抛出[SSL：CERTIFICATE_VERIFY_FAILED] [英] Python (pip) throwing [SSL: CERTIFICATE_VERIFY_FAILED] even if certificate chain updated

问题描述

这是对以前SO邮件的跟进。

我使用Windows / cygwin和我有需要python了解自定义CA证书，因为网络基础设施将所有SSL请求与自己的证书。

I am using Windows/cygwin and I have the need for python to understand a custom CA certificate, as the network infrastructure resigns all SSL requests with its own certificate.

如果我尝试运行 pip Search SimpleHTTPServer ，我会收到以下错误消息：

If I try to run pip search SimpleHTTPServer, I get the following error message:

...
  File "c:\users\erbe\appdata\local\programs\python\python35-32\lib\ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

我已尝试通过执行以下操作将证书添加到我的可信证书列表中：

I have tried to add the certificates to my list of trusted certificates by doing the following:

1. 将我的.pem文件复制到/ etc / pki / ca-trust / source / anchors


2. update-ca-trust提取

1. Copy my .pem file to /etc/pki/ca-trust/source/anchors
2. update-ca-trust extract

我已经验证了这一点，因为我现在可以指向生成的PEM文件并成功运行pip： pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer ：

I have verified that this works as I can now point to the generated PEM file and run pip successfully: pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer:

$ pip --cert tls-ca-bundle.pem search SimpleHTTPServer
ComplexHTTPServer (0.1)      - A Multithreaded Python SimpleHTTPServer
SimpleTornadoServer (1.0)    - better SimpleHTTPServer using tornado
rangehttpserver (1.2.0)      - SimpleHTTPServer with support for Range requests

但是，我希望这可以工作，而不必指定证书每次手动。我希望更新python使用的证书链：

However, I want this to work without having to specify the certificate manually every time. I am hoping to update the certificate chain that python uses:

$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')

我已经通过一系列符号链接验证了/ usr / local / ssl / cert.pem指向同一个文件。但是，如果我执行 pip ，我仍然会收到 [SSL：CERTIFICATE_VERIFY_FAILED] 错误消息。

I have verified that through a series of symlinks, that /usr/local/ssl/cert.pem points to the same file. However, if I execute pip, I still get the [SSL: CERTIFICATE_VERIFY_FAILED] error message.

我卸载了Windows版本的python，并重新安装了Cygwin版本的python。有了它，我跑了 easy_install-2.7 pip 。现在至少我能够使用完整的证书路径执行pip，而没有错误消息：

I uninstalled the Windows version of python, and reinstalled the Cygwin version of python. With it, I ran easy_install-2.7 pip. Now at least I am able to execute pip with the full certificate path without an error message:

$ pip --cert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem search simpleHttpServer
LittleHTTPServer (0.5.0)     - Little bit extended SimpleHTTPServer
SimpleHTTP404Server (0.2.0)  - A Python SimpleHTTPServer, but serves 404.html if a page is not found.
django-localsrv (0.1.2)      - Django app for serving static content from different sources (files, strings, urls, etc.) at custom paths,

为了安全起见，我还尝试更新SSL_CERT_DIR可变文件指向/ etc / pki / ca-trust-extracted / pem，并将SSL_CERT_FILE设置为/ etc / pki / ca-trust-extracted / pem / tls-ca-bundle.pem但这些不工作：

Just to be safe, I also tried updating the SSL_CERT_DIR varaible to point to /etc/pki/ca-trust-extracted/pem and set the SSL_CERT_FILE to /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem but these do not work:

$ set | grep SSL
SSL_CERT_DIR=/etc/pki/ca-trust/extracted/pem
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', capath='/etc/pki/ca-trust/extracted/pem', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/ssl/certs')


$ pip search simpleHttpServer
Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  ...
  ...
  File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/adapters.py", line 477, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

我做错了什么？这是cygwin vs Windows问题？我需要更新哪些PEM文件？

What am I doing wrong? Is this a cygwin vs Windows problem? Which PEM files do I need to update?

推荐答案

您可以在其配置文件中添加pip命令行选项默认值。在Windows中，它应位于％APPDATA％\pip\pip.ini下。

You can add pip command line option defaults to its configuration file. In windows, it should be located under %APPDATA%\pip\pip.ini.

要添加证书，请在文件中添加以下行： p>

To add a certificate, put the following lines in the file:

[global]
cert = windows path to your certificate

这篇关于即使证书链更新，Python（pip）抛出[SSL：CERTIFICATE_VERIFY_FAILED]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！