我已经在我的apache2中安装了SSL证书,它可以在浏览器中正常工作。
SSLCertificateFile /root/ca/intermediate/certs/www.example.com.cert.pem
SSLCertificateKeyFile /root/ca/intermediate/private/www.example.com.key.pem
SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
现在,我尝试使用python请求模块连接到此服务器,使用我在上面的 SSLCertificateFile 中提供的相同证书。
import requests
r = requests.get('https://localhost',verify='/Users/p/Documents/b/docker_images/vnet-creds/ca/intermediate/certs/www.example.com.cert.pem')
print r.status_code
print r.text
但仍然会出现以下错误。
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)
[Finished in 0.3s with exit code 1]
[shell_cmd: python -u "/Users/p/Documents/b/docker_images/test_pki_certs/test.py"]
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=England, O=B, OU=B Root, CN=B Root
Validity
Not Before: Jun 23 20:39:51 2017 GMT
Not After : Jun 21 20:39:51 2027 GMT
Subject: C=GB, ST=England, O=B, OU=B Root, CN=B Root inter
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:c0:5a:06:d1:7d:19:97:32:38:a1:fb:61:47:dd:
7b:89:a8:3d:25:ca:c9:28:f5:6c:e8:dd:02:20:cb:
74:f2:08:df:ec:92:54:cb:fe:5f:6b:35:45:7f:9b:
0c:27:13:a1:74:28:ff:af:1f:5a:55:9d:64:04:bc:
c7:2f:cd:43:51:ee:82:b6:cf:e3:c4:e7:90:07:c8:
4a:55:b4:5f:47:9c:33:e6:bc:4c:e6:e7:04:5d:84:
b7:eb:01:60:6a:31:4d:2a:da:4b:f6:7c:84:82:7d:
3f:bf:f0:81:ee:6a:ab:aa:1a:9e:eb:81:c7:b8:76:
f9:0d:f8:c6:a2:89:9e:6c:4c:6b:1c:47:91:f5:4d:
3c:26:71:c7:16:51:f8:a6:06:bc:0e:8d:b8:a0:7f:
86:73:c0:5b:65:3e:91:4c:44:6a:c6:45:03:7c:cf:
d2:13:6f:52:c7:a7:54:5d:8c:b7:3e:d1:c3:4c:dc:
68:42:ae:8b:0d:8e:55:41:cb:b5:25:2a:54:8b:7d:
53:86:8f:bb:8d:8d:03:cb:8f:42:b6:a0:6e:ce:63:
ec:24:ce:fa:e4:7a:66:bb:ff:94:65:57:14:70:ba:
f3:eb:a5:a6:d9:f4:81:01:2f:7f:a6:1e:12:b7:0f:
b4:71:a2:3f:11:6b:b5:af:0f:51:78:a0:31:8b:b9:
f3:38:99:89:bf:d4:1f:14:3e:c5:ce:71:44:86:a1:
05:b1:db:6a:dc:31:8c:4f:91:3c:c7:50:77:b2:f5:
e8:83:e6:bb:76:ee:f6:25:05:bc:2a:3b:6d:fe:1e:
9d:14:4b:d2:f5:ea:ae:b4:ef:b8:ae:73:16:4b:b1:
67:6b:5a:8b:ef:59:a3:b5:14:13:30:41:2c:85:51:
7e:70:3f:92:ed:dc:14:80:92:a9:67:b2:58:10:ce:
91:d0:96:cc:3f:46:8a:16:2c:5b:c4:a0:5d:c8:69:
65:43:f6:9e:d1:8f:25:4b:42:3c:e1:eb:5d:eb:f6:
85:3f:e2:27:9f:ed:63:84:4a:19:ec:07:ee:9c:46:
14:66:f1:aa:22:15:93:87:48:1f:a2:fe:fb:81:9b:
3f:aa:55:a9:98:0f:ba:0a:4e:0a:df:02:89:73:2c:
92:7d:63:1b:61:59:de:a5:bd:1e:1c:f0:c7:84:88:
50:4e:9c:93:26:bd:5b:45:07:b6:0d:13:c4:32:ec:
e3:52:e8:84:0c:37:c5:5d:a8:f5:bd:b6:68:35:9e:
3d:60:0c:67:cb:94:3a:39:89:e6:28:2f:67:dc:ce:
ba:a1:e1:4e:22:e1:ee:cc:b9:12:99:2d:96:ae:fc:
dc:a6:cf:2b:7b:88:58:2b:56:10:f8:fe:f1:d9:c3:
e8:82:11
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E8:6B:7F:00:5C:2A:29:CE:59:FE:92:64:C0:FF:EF:0D:BC:A2:C4:92
X509v3 Authority Key Identifier:
keyid:E0:B2:2B:B8:F3:7D:9B:0A:76:00:CA:EB:87:8F:8A:32:89:3A:C2:EE
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
7e:61:6c:4f:7a:42:ba:0f:f0:1e:df:71:ac:9a:36:b1:9f:f1:
1d:8c:9f:c5:07:f4:16:56:f2:35:da:fc:23:ad:41:2b:44:cc:
17:5f:f1:ac:d2:5f:af:77:c5:cb:71:35:56:c5:c2:a4:ff:64:
b6:21:c1:dc:ed:06:72:d0:23:e6:25:22:56:15:4f:5b:94:86:
7c:6c:f5:86:e0:6b:d5:dc:61:59:fe:92:9f:31:b5:58:48:08:
46:62:c4:1b:0a:30:c7:ef:cb:c1:c9:a4:44:c6:18:d1:c3:f3:
5c:6c:39:cd:a1:ce:56:f1:34:61:f4:1b:2d:53:a4:49:f6:aa:
88:c1:84:bb:1e:42:27:42:79:ae:a3:4f:78:92:06:87:a2:9e:
eb:a8:cd:a0:a4:25:5c:2f:55:f3:8a:93:26:49:de:ca:b7:fd:
cd:9e:8b:13:e8:76:09:c9:fa:8c:14:9f:ee:67:05:80:e0:67:
2d:54:e9:a6:ac:6b:87:34:d2:b5:11:23:fd:c0:67:c4:26:b1:
2d:ae:0a:ca:ff:e6:86:9f:82:fc:9c:e1:10:1b:e1:61:b7:f2:
3e:26:e8:1d:a8:76:9d:e0:fe:ca:28:f4:d0:b6:67:07:06:b1:
56:ba:6e:ad:42:6c:8d:78:6c:eb:f8:1c:2d:75:f4:3f:92:d5:
9d:ca:ac:0f:dc:6c:b3:4b:cb:9a:d6:be:e6:61:24:4f:90:be:
c6:7c:61:86:8f:80:00:1e:66:b6:05:1a:f5:87:b8:c9:63:21:
e6:c9:33:6d:1e:09:fa:91:c6:08:75:a5:2a:34:68:05:2d:d5:
32:79:98:f6:6a:73:15:53:39:15:2c:e0:cf:05:7d:48:46:cf:
bd:a5:d5:ab:6f:e8:0d:43:64:9c:eb:da:c3:d5:ab:56:15:76:
0d:8b:2a:56:59:82:26:3c:9c:74:9e:0f:b2:71:95:8a:1e:4e:
89:82:1c:15:48:12:a2:8f:88:8b:f4:d7:e0:39:50:da:5a:2c:
19:44:2e:27:81:91:cd:79:b9:51:cd:38:f1:35:db:36:00:89:
e9:74:ef:b8:15:84:31:32:bd:b4:c4:dd:29:d1:d2:e9:96:52:
a0:b4:c5:ed:71:c8:4d:11:c4:4d:67:7c:a0:05:35:30:5f:ce:
18:de:5d:a4:09:9e:29:73:f4:43:54:76:5c:3e:b2:d6:f5:ce:
e0:31:93:c2:fe:aa:d6:f3:14:8e:50:b0:82:ca:a6:cb:91:e5:
1c:f2:31:9c:09:81:f7:e3:4f:93:8c:46:84:27:89:c1:0a:2c:
03:46:26:a5:f5:52:e4:0e:d4:e2:a6:7f:8f:9c:a3:ef:61:45:
4f:76:ff:66:80:57:c6:01
答案 0 :(得分:1)
现在,我尝试使用python请求模块连接到此服务器,使用我在上面SSLCertificateFile中提供的相同证书。
verify参数需要受信任的CA,而不仅仅是受信任的证书。叶证书不是CA证书,因此在构建信任链时不会考虑。相反,您应该提供根CA,并且在服务器不发送链证书的情况下,还应该为建立信任链到给定根CA所需的链证书。
除此之外,还要确保证书的主题与URL中给出的域名相匹配。