本文翻译自:Python Requests throwing SSLError
I'm working on a simple script that involves CAS, jspring security check, redirection, etc. I would like to use Kenneth Reitz's python requests because it's a great piece of work! 我正在研究一个简单的脚本,涉及CAS,jspring安全检查,重定向等。我想使用Kenneth Reitz的python请求,因为这是一项很棒的工作! However, CAS requires getting validated via SSL so I have to get past that step first. 但是,CAS需要通过SSL进行验证,因此我必须首先通过该步骤。 I don't know what Python requests is wanting? 我不知道想要什么Python请求吗? Where is this SSL certificate supposed to reside? 该SSL证书应该存放在哪里?
Traceback (most recent call last):
File "./test.py", line 24, in <module>
response = requests.get(url1, headers=headers)
File "build/bdist.linux-x86_64/egg/requests/api.py", line 52, in get
File "build/bdist.linux-x86_64/egg/requests/api.py", line 40, in request
File "build/bdist.linux-x86_64/egg/requests/sessions.py", line 209, in request
File "build/bdist.linux-x86_64/egg/requests/models.py", line 624, in send
File "build/bdist.linux-x86_64/egg/requests/models.py", line 300, in _build_response
File "build/bdist.linux-x86_64/egg/requests/models.py", line 611, in send
requests.exceptions.SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
#1楼
参考:https://stackoom.com/question/ilDs/Python请求抛出SSLError
#2楼
From requests documentation on SSL verification : 从关于SSL验证的请求文档中 :
Requests can verify SSL certificates for HTTPS requests, just like a web browser. 就像网络浏览器一样,请求可以验证HTTPS请求的SSL证书。 To check a host's SSL certificate, you can use the verify argument: 要检查主机的SSL证书,可以使用verify参数:
>>> requests.get('https://kennethreitz.com', verify=True)
If you don't want to verify your SSL certificate, make verify=False 如果您不想验证SSL证书,请使verify=False
#3楼
The problem you are having is caused by an untrusted SSL certificate. 您遇到的问题是由不受信任的SSL证书引起的。
Like @dirk mentioned in a previous comment, the quickest fix is setting verify=False : 就像上一条评论中提到的@dirk一样, 最快的解决方法是设置verify=False :
requests.get('https://example.com', verify=False)
Please note that this will cause the certificate not to be verified. 请注意,这将导致证书不被验证。 This will expose your application to security risks, such as man-in-the-middle attacks. 这会使您的应用程序面临安全风险,例如中间人攻击。
Of course, apply judgment. 当然要运用判断力。 As mentioned in the comments, this may be acceptable for quick/throwaway applications/scripts, but really should not go to production software . 正如在评论中提到的,这可能是快速/一次性应用程序/脚本可以接受的, 但真的不应该去制作软件 。
If just skipping the certificate check is not acceptable in your particular context, consider the following options, your best option is to set the verify parameter to a string that is the path of the .pem file of the certificate (which you should obtain by some sort of secure means). 如果在特定情况下仅跳过证书检查是不可接受的,请考虑以下选项,最好的选择是将verify参数设置为字符串,该字符串是证书的.pem文件的路径(应由某些人获取)一种安全的手段)。
So, as of version 2.0, the verify parameter accepts the following values, with their respective semantics: 因此,从2.0版开始, verify参数接受以下值以及它们各自的语义:
-
True: causes the certificate to validated against the library's own trusted certificate authorities (Note: you can see which Root Certificates Requests uses via the Certifi library, a trust database of RCs extracted from Requests: Certifi - Trust Database for Humans ).True:使证书根据库自身的可信证书颁发机构进行验证(注意:您可以通过Certifi库查看哪些根证书请求使用,Certifi库是从Requests: Certifi-Human Trust Database中提取的RC的信任数据库)。 -
False: bypasses certificate validation completely .False: 完全绕过证书验证。 - Path to a CA_BUNDLE file for Requests to use to validate the certificates. CA_BUNDLE文件的路径,供请求用于验证证书。
Source: Requests - SSL Cert Verification 来源: 请求-SSL证书验证
Also take a look at the cert parameter on the same link. 还要查看同一链接上的cert参数。
#4楼
The name of CA file to use you could pass via verify : 您可以通过verify使用的CA文件名:
cafile = 'cacert.pem' # http://curl.haxx.se/ca/cacert.pem
r = requests.get(url, verify=cafile)
If you use verify=True then requests uses its own CA set that might not have CA that signed your server certificate. 如果使用verify=True则requests将使用其自己的CA集,该CA集可能没有用于签署服务器证书的CA。
#5楼
I have found an specific approach for solving a similar issue. 我找到了解决类似问题的特定方法。 The idea is pointing the cacert file stored at the system and used by another ssl based applications. 这个想法是指向存储在系统上的cacert文件,并由另一个基于ssl的应用程序使用。
In Debian (I'm not sure if same in other distributions) the certificate files (.pem) are stored at /etc/ssl/certs/ So, this is the code that work for me: 在Debian(我不确定其他发行版中是否相同)中,证书文件(.pem)存储在/etc/ssl/certs/因此,这是对我/etc/ssl/certs/的代码:
import requests
verify='/etc/ssl/certs/cacert.org.pem'
response = requests.get('https://lists.cacert.org', verify=verify)
For guessing what pem file choose, I have browse to the url and check which Certificate Authority (CA) has generated the certificate. 为了猜测选择哪个pem文件,我浏览了该URL,然后检查哪个证书颁发机构(CA)生成了证书。
EDIT: if you cannot edit the code (because you are running a third app) you can try to add the pem certificate directly into /usr/local/lib/python2.7/dist-packages/requests/cacert.pem (eg copying it to the end of the file). 编辑:如果您不能编辑代码(因为正在运行第三个应用程序),则可以尝试将pem证书直接添加到/usr/local/lib/python2.7/dist-packages/requests/cacert.pem (例如,复制)它到文件末尾)。
#6楼
I ran into the same issue. 我遇到了同样的问题。 Turns out I hadn't installed the intermediate certificate on my server (just append it to the bottom of your certificate as seen below). 原来我没有在服务器上安装中间证书(只需将其附加到证书的底部,如下所示)。
https://www.digicert.com/ssl-support/pem-ssl-creation.htm https://www.digicert.com/ssl-support/pem-ssl-creation.htm
Make sure you have the ca-certificates package installed: 确保已安装ca-certificates软件包:
sudo apt-get install ca-certificates
Updating the time may also resolve this: 更新时间也可以解决此问题:
sudo apt-get install ntpdate
sudo ntpdate -u ntp.ubuntu.com
If you're using a self-signed certificate, you'll probably have to add it to your system manually. 如果您使用的是自签名证书,则可能必须手动将其添加到系统中。
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
