我一直在使用Python Requests库来刮取网站一段时间,但该网站最近更改了SSL证书,新证书无法验证请求。
基于类似问题的答案,我已将请求和urllib3更新到最新版本(2.4.3和1.9.1),并手动将CA证书添加到请求'cacert.pem(/ usr / local / lib) /python2.7/dist-packages/requests/cacert.pem)。
我可以成功地将此cacert.pem文件与curl一起使用,但仍然没有请求:
> curl --head --cacert /usr/local/lib/python2.7/dist-packages/requests/cacert.pem
https://jordan-cu.org
HTTP/1.1 200 OK
Date: Thu, 20 Nov 2014 16:21:28 GMT
Server: Apache
X-Pingback: https://jordan-cu.org/xmlrpc.php
Link: <https://jordan-cu.org/>; rel=shortlink
X-Powered-By: PleskLin
Content-Type: text/html; charset=UTF-8
> python
Python 2.7.4 (default, Sep 26 2013, 03:20:26)
[GCC 4.7.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> requests.get('https://jordan-cu.org')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 60, in get
return request('get', url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 49, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 569, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 420, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我不确定此时还有什么可以尝试的。任何帮助表示赞赏!
答案 0 :(得分:5)
您需要安装pyopenssl和ndg-httpsclient
答案 1 :(得分:1)
Python2不支持SNI,请求在这方面没有帮助,请参阅http://docs.python-requests.org/en/latest/community/faq/。但是,如果在没有SNI的情况下访问,服务器将返回自签名证书:
$ openssl s_client -connect jordan-cu.org:443 | openssl x509 -text -noout
...
Issuer: C=US, ST=Virginia, L=Herndon, O=Parallels, OU=Parallels Panel, CN=Parallels Panel/emailAddress=info@parallels.com
...
Subject: C=US, ST=Virginia, L=Herndon, O=Parallels, OU=Parallels Panel, CN=Parallels Panel/emailAddress=info@parallels.com
如果使用SNI访问服务器,则返回由公共CA签名的证书:
$ openssl s_client -connect jordan-cu.org:443 -servername jordan-cu.org | openssl x509 -text -noout
...
Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
...
Subject: ... CN=*.jordan-cu.org
由于Python2在没有SNI的情况下进行TLS连接,您将获得自签名证书,当然无法通过cacert.pem
验证,因此您获得certificate verify failed
。
修复:升级到支持SNI的Python3。
答案 2 :(得分:0)
您需要使用整个证书链创建PEM文件。您的证书+中间证书+根证书。