在小牛队的python中SSL证书验证失败(SSL certificate verification failure in python on Mavericks)
我坚持持续的SSL验证问题。
SSL:CERTIFICATE_VERIFY_FAILED
我在构建一个让用户使用Mozilla Persona进行身份验证的Django应用程序时发现了这个错误。
(python3.4)> import requests (python3.4)> requests.get('https://verifier.login.persona.org')
我收到
SSL: CERTIFICATE_VERIFY_FAILED
追踪从urllib3
到ssl
requests
:... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/ssl.py", line 805, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) ... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/packages/urllib3/connectionpool.py", line 543, in urlopen raise SSLError(e) requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) ... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/adapters.py", line 420, in send raise SSLError(e, request=request) requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
python3和python2之间的区别
这是它开始变得有趣的地方:使用python2.7时我没有遇到同样的问题:
(python2.7)> import requests (python2.7)> requests.get('https://verifier.login.persona.org') <Response [200]>
我的第一个想法是两个版本的
requests
可能使用不同的证书[1],所以我很惊讶地发现这两个文件完全相同:(bash)$ diff `python3.4 -c "import requests; print(requests.certs.where())"` \ `python2.7 -c "import requests; print requests.certs.where()"` # no diff
在openssl中重新创建错误并使用-CAFile解决
有趣的是,问题不仅限于python3.4 [2]。
(bash)$ openssl s_client -connect github.com:443 ... Verify return code: 20 (unable to get local issuer certificate)
编辑来自Steffen的评论告诉我,这种“调试”方法实际上并不具备信息性,因为
s_client
需要-CApath才能进行验证。 但是,我可以指定requests
包使用的相同证书并且我没有得到相同的错误这一事实仍然很有趣:(bash)$ openssl s_client -connect github.com:443 \ -CAfile `python3 -c 'import requests; print(requests.certs.where())'` ... Verify return code: 0 (ok)
在这一点上,我完全脱离了我的元素。 我不知道这是否真的是一个
openssl
问题,或者OSX Mavericks的问题[3]。 这是我正在使用的openssl的版本:(bash)$ openssl version OpenSSL 1.0.1f 6 Jan 2014
小牛KeyChain.app
对于特定于操作系统的解决方案,我已经尝试清除我的登录KeyChain [4],但无济于事。
pip的问题
最后一点证据可能相关或不相关。 python3.4带有完整的pip。 但是,pip3命令对我来说没用。 无论我尝试安装什么:
(bash)$ pip3 install [new-lib] # pip 1.5.6
我明白了:
Downloading/unpacking [new-lib] Cannot fetch index base URL https://pypi.python.org/simple/ Could not find any downloads that satisfy the requirement [new-lib] Cleaning up... No distributions at all found for [new-lib] Storing debug log for failure in ~/.pip/pip.log
虽然这不是(明确地)SSL错误,但它看起来很相似[5]并且成功的解决方法是在我的
virtualenv
[5]中使用easy_install
安装旧版本的pip。 我正在指责两个问题是相关的。回顾:
- 寻求SSL证书失败错误的可能解决方案(在
requests
调用中不使用verify = False
)。- 我在python3.4中得到错误但不是python2.7,即使在两种情况下使用的cert.pem完全相同。
- 虽然我可以使用
openssl s_client -connect
重新创建SSL错误,但我可以通过将-CAFile
指定给请求库使用的cert.pem来避免它。- 我最好的猜测是,这是小牛队特有的问题,但我不知道如何继续。
- 我希望找到一个解决方案,也允许我使用pip3按预期安装python3.4软件包。
谢谢你的帮助!
[1]:我的机器上的python2.7是使用Enthought安装的。 但是安装python2.7的系统版本和请求库也可以。
[2]:使用python 2.7查看openssl,python请求错误:“certificate verify failed”
[3]:小牛似乎引入了openssl的变化? http://curl.haxx.se/mail/archive-2013-10/0036.html
[4]:从这里清理KeyChain.app:https://superuser.com/a/721629/261875
[5]:pip3发生SSL错误: https ://stackoverflow.com/a/22051466/2506078
I'm stuck on a persistent SSL verification issue.
SSL: CERTIFICATE_VERIFY_FAILED
I discovered the error while building a Django app that had users authenticate using Mozilla Persona.
(python3.4)> import requests (python3.4)> requests.get('https://verifier.login.persona.org')
I get a
SSL: CERTIFICATE_VERIFY_FAILED
tracing back fromrequests
tourllib3
tossl
:... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/ssl.py", line 805, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) ... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/packages/urllib3/connectionpool.py", line 543, in urlopen raise SSLError(e) requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) ... "/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/adapters.py", line 420, in send raise SSLError(e, request=request) requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
Difference between python3 and python2
Here's where it starts to get interesting: I don't get the same issue when using python2.7:
(python2.7)> import requests (python2.7)> requests.get('https://verifier.login.persona.org') <Response [200]>
My first thought was that the two versions of
requests
might be using different certs[1], so I was pretty surprised to find the two files were exactly the same:(bash)$ diff `python3.4 -c "import requests; print(requests.certs.where())"` \ `python2.7 -c "import requests; print requests.certs.where()"` # no diff
Error recreated in openssl and solved using -CAFile
Interestingly, the issue is not limited to python3.4[2].
(bash)$ openssl s_client -connect github.com:443 ... Verify return code: 20 (unable to get local issuer certificate)
Edit A comment from Steffen informed me that this "debugging" method isn't actually informative, as
s_client
expects a -CApath in order to verify. However, the fact that I can specify the same certificate that therequests
package is using and I don't get the same error is still interesting:(bash)$ openssl s_client -connect github.com:443 \ -CAfile `python3 -c 'import requests; print(requests.certs.where())'` ... Verify return code: 0 (ok)
At this point, I'm completely out of my element. I don't know is if this is really an
openssl
issue, or something about OSX Mavericks[3]. Here's the version of openssl I'm using:(bash)$ openssl version OpenSSL 1.0.1f 6 Jan 2014
Mavericks KeyChain.app
For OS-specific solutions, I've tried clearing my login KeyChain[4], to no avail.
Issues with pip
There's one last bit of evidence that may or may not be relevant. python3.4 ships with pip intact. However, the pip3 command is useless to me. No matter what I try to install:
(bash)$ pip3 install [new-lib] # pip 1.5.6
I get:
Downloading/unpacking [new-lib] Cannot fetch index base URL https://pypi.python.org/simple/ Could not find any downloads that satisfy the requirement [new-lib] Cleaning up... No distributions at all found for [new-lib] Storing debug log for failure in ~/.pip/pip.log
Although this isn't (explicitly) an SSL error, it seems similar[5] and a successful workaround has been to install an older version of pip using
easy_install
in myvirtualenv
s[5]. I'm crossing my fingers that the two issues are related.Recap:
- Seeking possible solutions for SSL certificate failure error (without using
verify = False
in therequests
calls).- I get the error in python3.4 but not python2.7 even though the cert.pem used in both cases is exactly the same.
- Though I can recreate an SSL error using
openssl s_client -connect
I can avoid it by specifying-CAFile
to the cert.pem used by the requests library.- My best guess is that this is an issue particular to Mavericks, but I have no idea how to proceed.
- I'm hoping to find a solution that also allows me to use pip3 to install python3.4 packages as expected.
Thanks for your help!
[1]: python2.7 on my machine was installed using Enthought. But installing a system version of python2.7 and the requests library works too.
[2]: See openssl, python requests error: "certificate verify failed" for a similar problem using python 2.7
[3]: It seems Mavericks introduced a change in openssl? http://curl.haxx.se/mail/archive-2013-10/0036.html
[4]: Clearning KeyChain.app from here: https://superuser.com/a/721629/261875
[5]: SSL error with pip3: https://stackoverflow.com/a/22051466/2506078
原文:https://stackoverflow.com/questions/25835554
最满意答案
您可以编写一个shell脚本来提示输入密码,如下所示:
passphrase="" while [ -z "$passphrase" ]; do read -p "Passphrase: " passphrase done ssh-keygen -N $passphrase -t rsa
它将继续提示,直到他们在密码中输入一个字符串。 你可能想让它更平滑,但它会让你开始。
You could write a shell script to prompt for the passphrase, something like this:
passphrase="" while [ -z "$passphrase" ]; do read -p "Passphrase: " passphrase done ssh-keygen -N $passphrase -t rsa
It will keep prompting until they enter a string in the passphrase. You might want to make it smoother, but it'll get you started.
相关问答
更多-
请使用gnupg(命令为gpg),我干过这种事,如果觉得字符界面不方便的话,可以安装一些图形前端,比如kde下的kgpg或者kleopatra,不但可以加密字符串,而且可以加密二进制数据 ssh-keygen生成出来的密钥只能用来“验证” 而你需要的是“加密” 补充回答: gpg绝对可以,我曾经用gpg加密过4.5G的DVD iso,不过,正如你知道的那样,公钥体制速度是巨慢的。 假设你已经创建了密钥对名称为abc, 要加密M07A0bpp-Duke.pdf gpg -e -r abc M07A0bpp-D ...
-
自动化ssh-keygen -t rsa,因此它会询问密码[closed](Automate ssh-keygen -t rsa so it DOES ask for a passphrase [closed])[2024-01-10]
您可以编写一个shell脚本来提示输入密码,如下所示: passphrase="" while [ -z "$passphrase" ]; do read -p "Passphrase: " passphrase done ssh-keygen -N $passphrase -t rsa 它将继续提示,直到他们在密码中输入一个字符串。 你可能想让它更平滑,但它会让你开始。 You could write a shell script to prompt for the passphrase, so ... -
香草节点中的ssh-keygen(ssh-keygen in vanilla Node)[2022-01-06]
目前不能使用加密模块。 看到这个 github问题打开要求支持。 还有像@Jiby所建议的选择,还有openssl的轻量级包装,你可以使用它。 It is not currently possible using the crypto module. See this github issue opened asking to support this. There are alternatives like the one suggested by @Jiby and also lightweight w ... -
这在ssh-keygen手册中有记录: -A 对于不存在主机密钥的每种密钥类型(rsa1,rsa,dsa,ecdsa和ed25519),请使用默认密钥文件路径 ,空密码短语,密钥类型的默认位以及默认注释生成主机密钥 。 系统管理脚本使用它来生成新的主机密钥。 所以,如果你的系统还没有主机密钥, ssh-keygen -A会创建它们。 重新创建主机密钥将导致您的SSH客户端抱怨下次连接到计算机时发生更改的主机的密钥指纹,并... Are you sure you want to continue connec ...
-
您需要将-f选项传递给ssh-keygen以使其跳过此交互式问题。 You need to pass the -f option to ssh-keygen to make it skip this interactive question.
-
请参阅svn手册中有关如何使用--tunnel-user命令的说明。 我想象乔治出现的原因是John因为你没有告诉ssh会话是哪个用户,所以它违约了约翰的账号。 为了澄清,原始海报有两种选择。 为George创建一个新的用户帐户。 这假设他有超级用户访问权限。 生成第二个密钥(理想情况下George执行此操作),附加到John帐户的.ssh / authorized_keys文件,并将上述链接的命令添加到.ssh / authorized_users文件中,如上所述。 该链接还描述了如何限制其他用户对Joh ...
-
在尝试阅读stdout问题之前: stdin.channel.shutdown_write() 另请参阅此问题以供参考。 Before attempting to read the stdout issue: stdin.channel.shutdown_write() See also this question for reference.
-
使用OpenSSL和SSH的公钥ssh-keygen生成私钥(Generate Private key with OpenSSL and Public key ssh-keygen for SSH)[2022-07-19]
在做了一些研究和实验后,我找到了最简单的解决方案。 使用密码长度为32或更多字符的openssl生成安全私钥,然后使用ssh-keygen命令获取所需的输出。 ssh-keygen -y -f private.pem > public_key.pub 它准确无误! After doing some research and experiments I landed on the simplest solution. Generate secure private key using openssl wi ... -
PowerShell似乎删除了空的双引号,可能需要转义它们。 使用""""而不是""似乎有效。 另外,我认为应该使用-P (密码)而不是-N (如果你改变它,则使用新的密码)。 所以最后的命令行是ssh-keygen -t rsa -C "$MyEmailAddress" -f "id_rsa_test" -P """" 。 PowerShell seems to remove the empty double quotes and probably requires to escape them. Usi ...
-
使用Paramiko而不是pycrypto来管理这个: import paramiko from paramiko import rsakey kf = open("sshk", "r") dlist = ["foo", "bar", "foobar", "klunssi", "xyzzy"] for d in dlist: kf.seek(0) try: nk = rsakey.RSAKey.from_private_key(kf, password=d) ...