一尘不染

Python请求-如何使用系统ca证书(debian / ubuntu)?

python

我已经在debian’s中安装了一个自签名的root ca cert/usr/share/ca- certificates/local并使用安装了它们sudo dpkg-reconfigure ca-certificates。在这一点上true | gnutls-cli mysite.local很高兴,也true | openssl s_client -connect mysite.local:443很高兴,但是python2和python3请求模块坚持认为对证书不满意。

python2:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

python3

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 70, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/bin/python3.5/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

为什么python会忽略系统ca-certificates捆绑包,以及如何集成它?


阅读 204

收藏
2020-12-20

共1个答案

一尘不染

从http://codingdict.com/questions/664

为了使python请求使用系统ca-certificates捆绑包,需要告知它在其自己的嵌入式捆绑包上使用

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

请求将其捆绑包嵌入此处,以供参考:

/usr/local/lib/python2.7/site-packages/requests/cacert.pem
/usr/lib/python3/dist-packages/requests/cacert.pem

或在较新版本中,使用其他软件包从以下位置获取证书:https :
//github.com/certifi/python-certifi

要验证从哪个文件证书加载,可以尝试:

Python 3.8.5 (default, Jul 28 2020, 12:59:40) 
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'
2020-12-20