添加新SSL证书以解决验证返回码：20（无法获得本地颁发者证书）？

Question

更新：如果我让API调用挂起并且键盘中断它，这就是它显示它被卡住的内容：

  File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
    self._sslobj.do_handshake()

你们确定这不是SSL相关问题吗？

我收到了一个似乎有些常见的错误，＆＃34;验证返回代码：20（无法获得本地发行人证书）＆＃34;。在this thread的帮助下，我找到了一个证书，可以在我将路径作为arg传递给文件时消除错误，如this thread所示。现在，我如何永久地将这个新证书作为默认证书？

要清楚，＆＃34;回声＆＃39;＆＃39; | openssl s_client -connect api.stripe.com:443"得出这个：

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgIQCBKNwt21MdAyGnD9g/FpLzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDkyNzAwMDAwMFoXDTE1MDEwODEyMDAwMFowajELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
Y28xFTATBgNVBAoTDFN0cmlwZSwgSW5jLjEXMBUGA1UEAxMOYXBpLnN0cmlwZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbC50FiFYms4rUoW7o
CmW+jw6IUEt1oYyE7bWLMB/rmdGlw3cv7u82WR8HezLH9Fj60NvQhGvAzFYBjRWA
+VnF5rxEYS05piwvF0jR1QSpeMzId7GOrHKV125pPuYzp+Mj44e3nr/uP91ICMVn
gz6U39OqiU9aBUTI8bhuiqcWK+4M7yQ5j9DGcq/wJISfLSr9zVYxOH75TqaMDFUh
EUqaWYpoJatQAYAobATCEVs5uw3T+K0tlRjcxhw5Zx698lajqTGORLwvVcF+ErZ7
ukVNnStu3LyWaR2pMs8zytlx2nepFjIp7m/SCcxTc9GmRY6zubbfo/ih9sjofv2K
nye9AgMBAAGjggHAMIIBvDAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
    LnN0cmlwZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
    BggrBgEFBQcDAjBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2Vy
    dC5jb20vY2EzLWcyNy5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
    bS9jYTMtZzI3LmNybDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUF
    BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMHsGCCsGAQUFBwEBBG8w
    bTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUF
    BzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNz
    dXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEA
    j1zUdQBzjpMTeexGYpxMLWW4IYcblZeP03V15WnGnpGq5eaLHKDNJ9K7MRIOtDaw
    K4EVCIO1ru8ojf6eFwcRuozRkbMNSRAYLbFyTS3CWygC1De4vLwuhRxvnpKYcG57
    7kgPx+nxIQtQdauL5AinxXMysY8+GZP1qzc2zlSV0MnvW2p5D3g0lb1ZMFQLpzDm
    ACJcg7xiOrs6lS70EfvcEPrVmRn287aE7b3jEBQ+dkokxNEC0Mi7G4CJQVP1oape
    wtKjWMSeQA/VdUVuoxoUa        gNh7gzLqoc6s7z5HmWVpR1KXiASRFYXsBFeIXnvehJc
    6HeLGqB0qcMYHcE8wmJErA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
No client certificate CA names sent
---
SSL handshake has read 4712 bytes and written 443 bytes
---
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F5EA24F3FE87EA6D4D2D5F8EBBD66811BE85116047AB1111F22968B324698D86
    Session-ID-ctx: 
    Master-Key: EEBA4D6255330C751DACE424844778CAA561F9BA339488CB8B32D78047A681B3066DD683A733732AB778EB1C72FB1EE2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f0 46 61 22 d7 65 e3 95-e7 4b b3 f6 d6 79 9d 69   .Fa".e...K...y.i
    0010 - b1 8d 4a a2 a7 97 ba de-68 1a ff 63 f6 2a 64 34   ..J.....h..c.*d4
    0020 - 44 e6 01 64 d9 a9 ff 26-32 21 be 49 2a fc 85 42   D..d...&2!.I*..B
    0030 - ee eb c8 b1 65 cc 43 be-05 69 e8 d6 5c bd e0 19   ....e.C..i..\...
    0040 - 57 b3 07 5a d4 6b 90 f2-a0 b4 31 96 1f 41 6d 88   W..Z.k....1..Am.
    0050 - e3 23 ea b2 33 e3 33 2e-29 33 ab 30 65 a1 eb 6d   .#..3.3.)3.0e..m
    0060 - 99 66 65 c1 bf 2b e2 25-70 a7 f8 17 c4 4b 8a bd   .fe..+.%p....K..
    0070 - cf 37 6a ee 38 dc 96 c5-24 6b 35 40 1c f1 d6 35   .7j.8...$k5@...5
    0080 - 64 0f 78 c7 90 98 f8 08-15 81 73 ce d6 e4 3e 38   d.x.......s...>8
    0090 - af 81 51 ef a1 0b 20 95-09 80 af c8 9d 08 14 e3   ..Q... .........

        Start Time: 1404582660
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

然而＆＃34;回声＆＃39;＆＃39; | openssl s_client -CApath~ / Downloads / DigiCertHighAssuranceEVRootCA.crt -connect api.stripe.com:443"得出这个：

CONNECTED(00000003)
depth=3 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root
verify return:1
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Stripe, Inc.", CN = api.stripe.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgIQCBKNwt21MdAyGnD9g/FpLzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDkyNzAwMDAwMFoXDTE1MDEwODEyMDAwMFowajELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz
Y28xFTATBgNVBAoTDFN0cmlwZSwgSW5jLjEXMBUGA1UEAxMOYXBpLnN0cmlwZS5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbC50FiFYms4rUoW7o
CmW+jw6IUEt1oYyE7bWLMB/rmdGlw3cv7u82WR8HezLH9Fj60NvQhGvAzFYBjRWA
+VnF5rxEYS05piwvF0jR1QSpeMzId7GOrHKV125pPuYzp+Mj44e3nr/uP91ICMVn
gz6U39OqiU9aBUTI8bhuiqcWK+4M7yQ5j9DGcq/wJISfLSr9zVYxOH75TqaMDFUh
EUqaWYpoJatQAYAobATCEVs5uw3T+K0tlRjcxhw5Zx698lajqTGORLwvVcF+ErZ7
ukVNnStu3LyWaR2pMs8zytlx2nepFjIp7m/SCcxTc9GmRY6zubbfo/ih9sjofv2K
nye9AgMBAAGjggHAMIIBvDAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
9zAdBgNVHQ4EFgQUgrT82oRIRdlSABFBqltZv7JNDBAwGQYDVR0RBBIwEIIOYXBp
LnN0cmlwZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2Vy
dC5jb20vY2EzLWcyNy5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv
bS9jYTMtZzI3LmNybDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMHsGCCsGAQUFBwEBBG8w
bTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUF
BzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNz
dXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEA
j1zUdQBzjpMTeexGYpxMLWW4IYcblZeP03V15WnGnpGq5eaLHKDNJ9K7MRIOtDaw
K4EVCIO1ru8ojf6eFwcRuozRkbMNSRAYLbFyTS3CWygC1De4vLwuhRxvnpKYcG57
7kgPx+nxIQtQdauL5AinxXMysY8+GZP1qzc2zlSV0MnvW2p5D3g0lb1ZMFQLpzDm
ACJcg7xiOrs6lS70EfvcEPrVmRn287aE7b3jEBQ+dkokxNEC0Mi7G4CJQVP1oape
wtKjWMSeQA/VdUVuoxoUagNh7gzLqoc6s7z5HmWVpR1KXiASRFYXsBFeIXnvehJc
6HeLGqB0qcMYHcE8wmJErA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
    No client certificate CA names sent
---
SSL handshake has read 4712 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 7ACAFB7EFC59892B2FD356197EE62E8E94F05DA51FAC29C21CA4790D69916169
    Session-ID-ctx: 
    Master-Key: 4E58BAB4E6C5C36BFEE31C5AA49AB8B22C6ADB684C3A7A9FC1FE2D899676C5CDF2823C51E35120E61FA04F2291DBBF0D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 89 ab 9c 38 a7 3e 8a ae-43 22 63 ea fa 5d db 7e   ...8.>..C"c..].~
    0010 - b8 31 46 06 ba d7 5f ed-0f f4 58 47 ef 18 9c fc   .1F..._...XG....
    0020 - bf a5 ff f0 17 27 15 b0-ab 0e 38 53 6a f2 54 95   .....'....8Sj.T.
    0030 - 7a 68 0a f6 78 2d 30 ec-1b 54 27 3f 58 8f b0 59   zh..x-0..T'?X..Y
    0040 - 95 93 c1 fb 67 8c 1b 94-85 76 74 59 35 f7 c5 06   ....g....vtY5...
    0050 - 2e a1 41 cb 49 c0 6f 3d-77 d5 4b 4a 7f fd 9c d2   ..A.I.o=w.KJ....
    0060 - 07 4a 52 e6 04 8f 63 9b-fd a6 7b 94 5b 1e 3d 50   .JR...c...{.[.=P
    0070 - e3 77 dd b9 da 56 e7 5b-16 09 15 a8 b5 02 b7 07   .w...V.[........
    0080 - 1e 31 39 cb 07 c7 85 45-25 0c a6 d8 10 93 bc 21   .19....E%......!
    0090 - e8 0d b9 3c 08 8a 99 ce-75 eb 41 5e fe 5e af 8e   ...<....u.A^.^..

    Start Time: 1404583006
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

后者在我看来解决了这个问题，只要我能做到这个＆＃34;永久性＆＃34;。解决方案是将其转换为PEM并将其放入/usr/lib/ssl/certs/吗？

如果是这样，我将证书转换为PEM时遇到问题。我得到以下内容，我目前正在研究＆＃34;：

$ openssl x509 -in DigiCertHighAssuranceEVRootCA.crt  -out  DigiCertHighAssuranceEVRootCA.pem -outform PEM
unable to load certificate
3074123452:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

编辑：argh，成功转换为.pem并将其移至该目录并且它没有任何作用。

对于后台，这不像生产服务器或任何东西，这只是在我的计算机上，它运行Xubuntu。在尝试运行脚本与Stripe的API进行交互时，我突然遇到了这个问题。前一天，同样的剧本作为葡萄酒运行良好。然后突然API调用开始超时。我联系了Stripe支持，这种情况非常缓慢，而且这个人给了我一些命令来运行，这就解决了这个问题。仍在等待他们的回复，但这似乎是问题所在。我希望使用我一直下载的证书将允许我再次与Stripe API交互，当我做的事情不是＆＃34;回声＆＃39;＆＃39; | openssl s_client -connect api.stripe.com:443"

如果有人猜测我可能会无意中做了什么突然引起这个问题，我真的很感激。对于为什么会这样的事情感到惊讶。

编辑：

我被要求提供Stripe脚本本身。

import stripe

STRIPE_SECRET = "mys3cretkey"
STRIPE_PUBLISHABLE = "testkeypublishable"

stripe.api_key = STRIPE_SECRET
customer = stripe.Customer.retrieve('cus_4FJ2a8cSopzrwQ')
print customer['created']

但是，我想重申，这个以及其他所有与Stripe相关的脚本和操作在几天前都能正常工作。几天前，这个问题出现之前，我一直在制作Stripe API调用和网络抓取以及各种其他东西幸运地忘记了证书和ssl握手。此外，Stripe的文档提供了API调用的示例，右侧是您的密钥和测试信息，因此您可以复制它并使用它。复制不起作用。在我们的＆＃34;网站上进行测试交易＆＃34;在我当地的环境中也不起作用。

但是，哈哈，自问题开始以来它已经发挥了1/12的作用......这很奇怪......

我也试过了echo '' | openssl s_client -connect google.com:443，我遇到了同样的问题。因此，有理由认为这个问题不是特定于条纹的，虽然他们确实在连接到他们的API时遇到了一些麻烦，但是这些问题出现在我身上，他们在Twitter上说的麻烦得到了解决。 （我们的生产现场很好）。

编辑：被要求提供更多信息。

1. 可能发生变化的事情。唯一可能影响到这一点的是我已经开始使用我的VM了。注意＆＃34;更多＆＃34; - 我之前使用它并运行这些脚本就好了。它是我用于.NET工作的Windows 7 VM。 （好奇的是，它运行得很糟糕。）

2. Stripe的错误。如果我让脚本挂得足够长，那么我会得到一个追溯，女巫的结局就是这样：

     File "/usr/local/lib/python2.7/dist-packages/stripe/http_client.py", line 140, in     _handle_request_error
   raise error.APIConnectionError(msg)
   stripe.error.APIConnectionError: Unexpected error communicating with Stripe.  If this problem persists,
   let us know at support@stripe.com.
   
   (Network error: Timeout: HTTPSConnectionPool(host='api.stripe.com', port=443): Read timed out.)
   

3. 脚本和openssl测试都在我的本地机器上，我的笔记本电脑。当我在我们的网站上引用测试事务时，这是localhost，使用与脚本相同的Stripe测试API密钥。

由于

Answer 1

您需要添加s_client应查找证书的路径，因为它不使用任何默认路径。这应该有效：

openssl s_client -CApath /etc/ssl/certs/ -connect api.stripe.com:443

/ etc / ssl / certs不需要任何证书，因为相关的CA应该已经包含在（X）ubuntu中。