Python请求SSL错误 - 证书验证失败 [英] Python requests SSL error - certificate verify failed

问题描述

此代码

import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")

给我这个错误

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)

我几乎不了解SSL，但我尝试下载网站的证书并使用 verify 选项指向该文件，但它没有奏效。我错过了什么？

I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?

推荐答案

正如评论中已经指出的那样：该网站的SSL实施情况不佳，可以从 SSLLabs报告。本报告中有关您的问题的主要部分是：

As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:

此服务器的证书链不完整。等级上限为B.

This server's certificate chain is incomplete. Grade capped to B.

这意味着服务器未发送验证证书所需的完整证书链。这意味着您需要在验证时自己添加缺少的证书。为此，您需要为缺失的链证书包含PEM C = US，O = DigiCert Inc，OU = www.digicert.com，CN = DigiCert SHA2 High Assurance Server CA 以及根CA C = US，O = DigiCert Inc，OU = www.digicert.com，CN = DigiCert High Assurance EV Root CA 信息文件 my_trust_store.pem 然后你可以打电话：

This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem and then you can call:

requests.get("https://...", verify='my_trust_store.pem')

...但我已经尝试下载该网站的证书并使用验证选项指向该文件

... but I've tried downloading the site's certificate and pointing to that file using the verify option

这不适用于普通的叶证书。由于Python的SSL堆栈基于OpenSSL，而OpenSSL只需要信任存储中的受信任证书颁发机构（即使用验证），并且服务器证书不是CA证书，它将无助于将其添加到信任商店。

This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify) and a server certificate is not CA certificate it will not help to add it to the trust store.

这篇关于Python请求SSL错误 - 证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！