背景
在linux 服务器上运行了一份python脚本,一直以来都是正常运行的。但是突然,天有不测风云,最近突然运行出错了。查看出错日志,发现如下错误信息。
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
看上去是脚本访问某个 https 网页失败导致的。而且这个错误是偶现的,有时候,这个 https 网页有时候又可以正常访问。所以感觉这个问题特别的奇怪。
安装 ssl 库
其实以前有遇到这个问题,运行了以下俩条命令就解决了。命令如下:
yum install openssl-devel
yum install zlib-devel bzip2-devel sqlite sqlite-devel openssl-devel
执行完这俩条命令,然而这次并不能顺利解决问题。又出现了以下的错误信息。
curl https://www.baidu.com
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
简单翻译一下,就是百度的 ssl 证书不能被已知的 CA 验证。所以用浏览器打开百度网站很正常,这样看来应该是 linux 系统自带的证书库有点过时了吧,因此百度了一下,应该是需要更新证书库。
更新证书库
经过一番Google, 发现 linux 系统自带的证书库是 /etc/pki/tls/certs/ca-bundle.crt,所以大胆猜测是这个证书库自身的问题,至于为什么时灵时不灵,还真没有搞明白。时间比较紧急,先试一下更新一下本地证书库吧。Linux命令如下:
安装 ca-certificates
yum install ca-certificates
更新本地证书库
update-ca-trust -h
usage: /usr/bin/update-ca-trust [extract | check | enable | disable | force-enable | force-disable ]
update-ca-trust check
PEM/JAVA Status: DISABLED.
(Legacy setup with static files.)
PKCS#11 module Status, see symbolic links reported below:
lrwxrwxrwx 1 root root 28 Jul 16 10:08 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/nss/libnssckbi.so
(link resolving to NSS: using legacy static list)
(link resolving to p11-kit: using the new source configuration)
update-ca-trust enable
现在再试一下
curl https://www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head>......</html>
问题完美解决了。还有一个遗留的小问题是: linux 系统自带的证书库是 /etc/pki/tls/certs/ca-bundle.crt,但是时灵时不灵,这个问题还需要继续研究。各位看官也欢迎一起探索。
337
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
