工作环境
- Centos 7.9
- Python 3.8.18
- OpenSSL 1.1.1n
编译安装
OpenSSL
# 下载配置OpenSSL
wget https://www.openssl.org/source/openssl-1.1.1n.tar.gz --no-check-certificate
tar -zxvf openssl-1.1.1n.tar.gz
cd ./openssl-1.1.1n
./config --prefix=/usr/local/openssl
# 编译安装OpenSSL
make && make install
# 替换原有OpenSSL版本
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
# 新版OpenSSL环境生效
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln -sf /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so
ln -sf /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so
# 检测安装结果
openssl version
Python
# 下载配置Python
wget https://www.python.org/ftp/python/3.8.18/Python-3.8.18.tgz --no-check-certificate
tar zxf ./Python-3.8.18.tgz
cd ./Python-3.8.18
./configure --prefix=/usr/local/python3 --with-openssl=/usr/local/openssl --with-openssl-rpath=auto
# 编译安装Python
make && make install
# Centos7.6 ~ 7.9 都有Python36 需要备份一下
mv /usr/bin/python3 /usr/bin/python3.old
# 替换旧版Python
ln -sf /usr/local/python3/bin/pip3 /usr/bin/pip3
ln -sf /usr/local/python3/bin/python3 /usr/bin/python3
# 验证安装
python3 --version
# 安装依赖
pip3 install requests
故障复现
执行以下脚本:
import requests
resp = requests.get("https://opbnb.publicnode.com/")
print(resp)
出现报错:
Cannot connect to host opbnb.publicnode.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')]
解决方法
使用以下代码查询:
import ssl
print(ssl.get_default_verify_paths())
# DefaultVerifyPaths(cafile=None, capath='/usr/local/openssl/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/openssl/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/openssl/ssl/certs')
/usr/local/openssl/ssl/cert.pem
文件不存在,执行以下命令链接过来
ln /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/local/openssl/ssl/cert.pem
再次使用requests脚本进行验证
# 没有报错,输出如下:
# <Response [200]>