首页 \ 问答 \ 在小牛队的python中SSL证书验证失败(SSL certificate verification failure in python on Mavericks)

在小牛队的python中SSL证书验证失败(SSL certificate verification failure in python on Mavericks)

 我坚持持续的SSL验证问题。  
 SSL：CERTIFICATE_VERIFY_FAILED  
 我在构建一个让用户使用Mozilla Persona进行身份验证的Django应用程序时发现了这个错误。  
(python3.4)> import requests
(python3.4)> requests.get('https://verifier.login.persona.org')
 
 我收到SSL: CERTIFICATE_VERIFY_FAILED追踪从urllib3到ssl requests ：  
...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/ssl.py", line 805, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/packages/urllib3/connectionpool.py", line 543, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/adapters.py", line 420, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
 
 python3和python2之间的区别  
 这是它开始变得有趣的地方：使用python2.7时我没有遇到同样的问题：  
(python2.7)> import requests
(python2.7)> requests.get('https://verifier.login.persona.org')
<Response [200]>
 
 我的第一个想法是两个版本的requests可能使用不同的证书[1]，所以我很惊讶地发现这两个文件完全相同：  
(bash)$ diff `python3.4 -c "import requests; print(requests.certs.where())"` \
             `python2.7 -c "import requests; print requests.certs.where()"`
# no diff
 
 在openssl中重新创建错误并使用-CAFile解决  
 有趣的是，问题不仅限于python3.4 [2]。  
(bash)$ openssl s_client -connect github.com:443
...
Verify return code: 20 (unable to get local issuer certificate)
 
 编辑来自Steffen的评论告诉我，这种“调试”方法实际上并不具备信息性，因为s_client需要-CApath才能进行验证。 但是，我可以指定requests包使用的相同证书并且我没有得到相同的错误这一事实仍然很有趣：  
(bash)$ openssl s_client -connect github.com:443 \
        -CAfile `python3 -c 'import requests; print(requests.certs.where())'`
...
Verify return code: 0 (ok)
 
 在这一点上，我完全脱离了我的元素。 我不知道这是否真的是一个openssl问题，或者OSX Mavericks的问题[3]。 这是我正在使用的openssl的版本：  
(bash)$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
 
 小牛KeyChain.app  
 对于特定于操作系统的解决方案，我已经尝试清除我的登录KeyChain [4]，但无济于事。  
 pip的问题  
 最后一点证据可能相关或不相关。 python3.4带有完整的pip。 但是，pip3命令对我来说没用。 无论我尝试安装什么：  
(bash)$ pip3 install [new-lib] # pip 1.5.6
 
 我明白了：  
Downloading/unpacking [new-lib]
    Cannot fetch index base URL https://pypi.python.org/simple/
    Could not find any downloads that satisfy the requirement [new-lib]
Cleaning up...
    No distributions at all found for [new-lib]
    Storing debug log for failure in ~/.pip/pip.log
 
 虽然这不是（明确地）SSL错误，但它看起来很相似[5]并且成功的解决方法是在我的virtualenv [5]中使用easy_install安装旧版本的pip。 我正在指责两个问题是相关的。  
 回顾：  
 
  寻求SSL证书失败错误的可能解决方案（在requests调用中不使用verify = False ）。  
  我在python3.4中得到错误但不是python2.7，即使在两种情况下使用的cert.pem完全相同。  
  虽然我可以使用openssl s_client -connect重新创建SSL错误，但我可以通过将-CAFile指定给请求库使用的cert.pem来避免它。  
  我最好的猜测是，这是小牛队特有的问题，但我不知道如何继续。  
  我希望找到一个解决方案，也允许我使用pip3按预期安装python3.4软件包。  
 
 谢谢你的帮助！  
 [1]：我的机器上的python2.7是使用Enthought安装的。 但是安装python2.7的系统版本和请求库也可以。  
 [2]：使用python 2.7查看openssl，python请求错误：“certificate verify failed”  
 [3]：小牛似乎引入了openssl的变化？ http://curl.haxx.se/mail/archive-2013-10/0036.html  
 [4]：从这里清理KeyChain.app：https：//superuser.com/a/721629/261875  
 [5]：pip3发生SSL错误： https ：//stackoverflow.com/a/22051466/2506078 

I'm stuck on a persistent SSL verification issue. 
SSL: CERTIFICATE_VERIFY_FAILED 
I discovered the error while building a Django app that had users authenticate using Mozilla Persona. 
(python3.4)> import requests
(python3.4)> requests.get('https://verifier.login.persona.org')
 
I get a SSL: CERTIFICATE_VERIFY_FAILED tracing back from requests to urllib3 to ssl: 
...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/ssl.py", line 805, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/packages/urllib3/connectionpool.py", line 543, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

...
"/Library/Frameworks/Python.framework/Versions/3.4/lib/python3.4/site-packages/requests-2.4.1-py3.4.egg/requests/adapters.py", line 420, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
 
Difference between python3 and python2 
Here's where it starts to get interesting: I don't get the same issue when using python2.7: 
(python2.7)> import requests
(python2.7)> requests.get('https://verifier.login.persona.org')
<Response [200]>
 
My first thought was that the two versions of requests might be using different certs[1], so I was pretty surprised to find the two files were exactly the same: 
(bash)$ diff `python3.4 -c "import requests; print(requests.certs.where())"` \
             `python2.7 -c "import requests; print requests.certs.where()"`
# no diff
 
Error recreated in openssl and solved using -CAFile 
Interestingly, the issue is not limited to python3.4[2]. 
(bash)$ openssl s_client -connect github.com:443
...
Verify return code: 20 (unable to get local issuer certificate)
 
Edit A comment from Steffen informed me that this "debugging" method isn't actually informative, as s_client expects a -CApath in order to verify. However, the fact that I can specify the same certificate that the requests package is using and I don't get the same error is still interesting: 
(bash)$ openssl s_client -connect github.com:443 \
        -CAfile `python3 -c 'import requests; print(requests.certs.where())'`
...
Verify return code: 0 (ok)
 
At this point, I'm completely out of my element. I don't know is if this is really an openssl issue, or something about OSX Mavericks[3]. Here's the version of openssl I'm using: 
(bash)$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
 
Mavericks KeyChain.app 
For OS-specific solutions, I've tried clearing my login KeyChain[4], to no avail. 
Issues with pip 
There's one last bit of evidence that may or may not be relevant. python3.4 ships with pip intact. However, the pip3 command is useless to me. No matter what I try to install: 
(bash)$ pip3 install [new-lib] # pip 1.5.6
 
I get: 
Downloading/unpacking [new-lib]
    Cannot fetch index base URL https://pypi.python.org/simple/
    Could not find any downloads that satisfy the requirement [new-lib]
Cleaning up...
    No distributions at all found for [new-lib]
    Storing debug log for failure in ~/.pip/pip.log
 
Although this isn't (explicitly) an SSL error, it seems similar[5] and a successful workaround has been to install an older version of pip using easy_install in my virtualenvs[5]. I'm crossing my fingers that the two issues are related. 
Recap: 
 
 Seeking possible solutions for SSL certificate failure error (without using verify = False in the requests calls). 
 I get the error in python3.4 but not python2.7 even though the cert.pem used in both cases is exactly the same. 
 Though I can recreate an SSL error using openssl s_client -connect I can avoid it by specifying -CAFile to the cert.pem used by the requests library. 
 My best guess is that this is an issue particular to Mavericks, but I have no idea how to proceed. 
 I'm hoping to find a solution that also allows me to use pip3 to install python3.4 packages as expected. 
 
Thanks for your help! 
[1]: python2.7 on my machine was installed using Enthought. But installing a system version of python2.7 and the requests library works too. 
[2]: See openssl, python requests error: "certificate verify failed" for a similar problem using python 2.7 
[3]: It seems Mavericks introduced a change in openssl? http://curl.haxx.se/mail/archive-2013-10/0036.html 
[4]: Clearning KeyChain.app from here: https://superuser.com/a/721629/261875 
[5]: SSL error with pip3: https://stackoverflow.com/a/22051466/2506078

原文：https://stackoverflow.com/questions/25835554

更新时间：2023-01-09 14:01

最满意答案

 您可以编写一个shell脚本来提示输入密码，如下所示：  
passphrase=""
while [ -z "$passphrase" ]; do
    read -p "Passphrase: " passphrase
done
ssh-keygen -N $passphrase -t rsa
 
 它将继续提示，直到他们在密码中输入一个字符串。 你可能想让它更平滑，但它会让你开始。 

You could write a shell script to prompt for the passphrase, something like this: 
passphrase=""
while [ -z "$passphrase" ]; do
    read -p "Passphrase: " passphrase
done
ssh-keygen -N $passphrase -t rsa
 
It will keep prompting until they enter a string in the passphrase. You might want to make it smoother, but it'll get you started.

在小牛队的python中SSL证书验证失败(SSL certificate verification failure in python on Mavericks)

SSL：CERTIFICATE_VERIFY_FAILED

python3和python2之间的区别

在openssl中重新创建错误并使用-CAFile解决

小牛KeyChain.app

pip的问题

SSL: CERTIFICATE_VERIFY_FAILED

Difference between python3 and python2

Error recreated in openssl and solved using -CAFile

Mavericks KeyChain.app

Issues with pip

最满意答案

相关问答

linux ssh-keygen -t rsa会生成公钥和加密文件，但是只支持登陆无需密码，有没有用文件来加密和解密文件。[2021-05-24]

自动化ssh-keygen -t rsa，因此它会询问密码[closed](Automate ssh-keygen -t rsa so it DOES ask for a passphrase [closed])[2024-01-10]

香草节点中的ssh-keygen(ssh-keygen in vanilla Node)[2022-01-06]

“ssh-keygen -A”究竟做了什么？(What exactly does `ssh-keygen -A` do?)[2020-12-16]

SSH-keygen运行不正常（java）[关闭](SSH-keygen not running properly (java) [closed])[2023-06-19]

ssh-keygen与不同的用户进行颠覆(ssh-keygen with different user for subversion)[2021-07-29]

当使用ssh-keygen命令时Paramiko挂起(Paramiko hang when use ssh-keygen command)[2021-02-16]

使用OpenSSL和SSH的公钥ssh-keygen生成私钥(Generate Private key with OpenSSL and Public key ssh-keygen for SSH)[2022-07-19]

在powershell中为github自动化ssh-keygen(automate ssh-keygen for github in powershell)[2022-05-14]

验证RSA私钥的密码(Verify the passphrase for RSA private key)[2022-05-11]

相关文章

最新问答