SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败 [英] SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
问题描述
我正在使用python 2.7.10
I am using python 2.7.10
request = urllib2.Request(url, data=urllib.urlencode(params))
f = urllib2.urlopen(request))
导致以下异常:
urlopen错误[SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败(_ssl.c:590)
cause the following exception: urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
URL是IIS中托管的网站,我们的组织为ca sign cert。
我已经将根证书导入 Windows证书管理器,我可以安全地在浏览器中打开URL ,而不会遇到类似有问题的消息本网站的安全证书。
URL is a website hosted in IIS with our organizations ca sign cert. I have already imported the root cert into windows certificate manager and I am able to open the URL in browser securely without encountering message like "There is a problem with this website’s security certificate."
如何解决此问题?
我不想禁用SSL验证
How do I go about troubleshooting this issue? I do not want to disable the SSL verification
推荐答案
当您通过浏览器访问URL时,您的浏览器将成为客户端服务器成为托管哪个Web站点。现在,由于您已经为浏览器导入了CA证书,这就是为什么网站在浏览器中无错误地打开的原因。
When you access URL through browser, you browser becomes client and server becomes on which Web site is hosted. Now, since you have imported CA certificate for browser, that's why web site is opening without error in browser.
现在,当您从python脚本打开同一个网站时,客户端成为你的python脚本,它不知道这个CA证书。 Python脚本不使用 Windows证书存储,因此您必须指定要对其进行证书验证的 CA证书。
Now, when you open same website from your python script, client becomes your python script and it is not aware of this CA certificate. Python script do not use the Windows Certificate Store, so you will have to specify a CA certificate against which the certificate verification will be done.
所以,你明确告诉脚本有关CA证书的内容如下:
So, you have tell explicitly to script regarding CA certificate which can as follow:
urllib2.urlopen("https://dinesh.com", cafile="test_cert.pem")
你可以在这里找到文档: urllib2.urlopen 。
You can find the documentation here: urllib2.urlopen.
更新
以上链接的片段:
可选的
cafile和capath参数为HTTPS请求指定一组
可信CA证书。cafile应将
指向包含一组CA证书的单个文件,而
capath应指向散列证书文件的目录。更多信息可以在
ssl中找到.SSLContext.load_verify_locations() 。
The optional
cafileandcapathparameters specify a set of trusted CA certificates for HTTPS requests.cafileshould point to a single file containing a bundle of CA certificates, whereascapathshould point to a directory of hashed certificate files. More information can be found in ssl.SSLContext.load_verify_locations().
这篇关于SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
