Fix the error CERTIFICATE_VERIFY_FAILED (by quqi99)

作者：张华 发表于：2020-07-07
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

问题

在测试rbac时, 下列rbac调用candid时会报CERTIFICATE_VERIFY_FAILED这个错. 在读了rbac的代码之后, 确定rbac是在调用 https://node1.lan:8081/discharge/info 时抛的错.

maas (maas configauth --rbac-url https://node1.lan:5000/ --rbac-service-name maastest) -> rbac with https (https://node1.lan:5000/) -> candid with https (https://node1.lan:8081/discharge/info) -> ldap with https

奇怪的是, 我已经运行过这个命令( cp ~/certs/ca.crt /usr/share/ca-certificates/extras/ldap.crt && dpkg-reconfigure ca-certificates )了. 不应该啊.

sudo update-ca-certificates --fresh
$ export SSL_CERT_DIR=/etc/ssl/certs

curl测试

运行下列三个命令均无问题:

curl https://node1.lan:8081/discharge/info
curl https://node1.lan:8081/discharge/info -k
curl https://node1.lan:8081/discharge/info --cacert ~/certs/ca.crt

python测试 - urllib2.request

下列python代码测试也没问题

sudo bash -c 'cat > test.py' << EOF
#!/usr/bin/env python

import sys
import ssl
try:
    import urllib2 #python2
except:
    import urllib.request as urllib2 #python3

req = urllib2.Request(sys.argv[1], headers={'Bakery-Protocol-Version':'3'})
print(urllib2.urlopen(req).read())
EOF
mkdir /usr/share/ca-certificates/extras
cp ~/certs//ca.crt /usr/share/ca-certificates/extras/ldap.crt && dpkg-reconfigure ca-certificates
python test.py https://node1.lan:8081/discharge/info

python测试 - requests

奇了怪了, 只好继续调试代码, 发现rbac使用了pymacaroons (https://github.com/ecordell/pymacaroons), pymacaroons它又会调用requests (不是urllib2.request)
所以继续写了一个python测试, 问题就重现了:

bash -c 'cat > test2.py' << EOF
#!/bin/env python

import sys
import requests

url = sys.argv[1]
print(requests.get(url).read())
EOF

$ python test2.py https://node1.lan:8081/discharge/info
...
requests.exceptions.SSLError: HTTPSConnectionPool(host='node1.lan', port=8081): Max retries exceeded with url: /discharge/info (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificat