Python'请求'[SSL:CERTIFICATE_VERIFY_FAILED]证书验证失败(_ssl.c:590)

时间:2015-09-23 16:58:02

标签: ssl https certificate python-requests x509

在向“verify”选项提供特定证书路径时,我在验证HTTPS端点时遇到问题;将'verify'设置为true DOES可以正常工作:

import requests

def run_tests():
    url="https://www.google.com"
    certfilename="google.crt"
    generate_cert_file( certfilename )
    response = requests.get( url, verify=False )
    print "URL:%s, Verify=False. Result: %s"%(url, response.status_code )
    response = requests.get( url, verify=True )
    print "URL:%s, Verify=True. Result: %s"%(url, response.status_code )
    response = requests.get( url, verify=certfilename )
    print "URL:%s, Verify=%s. Result: %s"%(url, certfilename, response.status_code )

def generate_cert_file( filename ):
    cert_text=('''\
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIIxZ+YmNtB9AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjI1MzM5WhcNMTUxMjA4MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqH1dz
jOr385g9DXVZowTLkhjCoYGQ/zOLzslSFowYqZnlMiE7iZ8Vm9/iJfhStSMoA6gZ
87uqLENCi3NK+pk4+n1SIPRZS0jorb1jsyenMMy6Fxb9sQe3ndqZpWBtsW5ezW9t
7q5HWA1cNm1KSi2fmwZpDrSaN0TYQdFbRAz6cPf6J/P66qyEC7OInFgLsy4FDdp8
itpjCo/gnk2gz1vpWjiRYLCkz/dlFY3M3kR/s7YcJa7UP7BZ+QmmDfN3y4mxmEfn
Cg8rB25ZbD+oQ+Hua3/oMrx4r3lliou3yrD08/ABEqs16EEPX5wFHtI4CQYAUt5E
rEDl36bpvFD0QkfLAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQHiMS+8X3+WcfbMQymf9yX9XA1yDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAUvY5/JbZLfahjC4F
IZU0jVtGRBDa6tXLhCHAdwLHYLQdHn74oQ8Y1vxL0AYd7V2SBAgrDjCoK9bDQbQi
UZ7xwG9K2O75bS2qYc/OlZLJr0Gdfs71ZpQzlv14SGBXvwPuD6noj+hiZjqICd6t
3Rd5oIFiZvkhNDdN6Uag28rIfR8HECdlkbZNZeLZnyoIaxsprANvlEkY0wEbn1K9
kww3/SYKbdPJ8VQSUOtWgGsO1RPFaE4PP7hCg8Q062+mmCs0ZMQSvrzzv7JQsO5J
EkdG6691HdVA6z/rRGGX8E6assTnJLmVMxRayV+Do07KvywLONTInUWue8heHUSX
EHJZbg==
-----END CERTIFICATE-----\
''')
    with open(filename, "wb") as output:
        output.write(cert_text)

if __name__=='__main__':
   run_tests()

我在这里做错了吗? (我嵌入了cert inline,使代码更容易运行,而无需提供单独的证书文件)

我从git存储库中获取'请求' - 历史上最新版本的TAG是V2.7.0,最新提交是“46ff1a9a543cc4d33541aa64c94f50f0a698736e”

编辑:我实际上在这里有错误的证书(感谢Steffen Ullrich指出这一点):但我现在已经确认我有正确的证书/端点:我得到了同样的错误。

我检索了这样的证书:

openssl s_client -connect www.google.com:443

只是将证书详细信息复制到python程序中。 问题实际上也出现在我自己的内部系统中 - 使用自签名证书(这是我的真实用例)。

或者:'verify = True'选项在哪里实际查找受信任的证书/ CA? (在Java上它将是'cacerts' - 不确定Python /请求的等价物是什么?)。

我在这里的Windows平台上。

2 个答案:

答案 0 :(得分:3)

您使用的证书仅对www.google.co.uk有效,但访问www.google.com。因此证书根本不匹配。我不确定使用主机证书而不是颁发者证​​书(即根CA或中间CA)是否可以使用。

答案 1 :(得分:0)

你可以试试这个:

s = Session()
req = Request('POST', 'https://www.google.com')
prepped = s.prepare_request(req)
resp = s.send(prepped, verify=False, cert=CERT_PATH)
if resp.status_code == 200:...
相关问题
最新问题