问题
I have a problem verifiying a HTTPS endpoint when providing a specific certificate path to the 'verify' option; setting 'verify' to true DOES work however:
import requests
def run_tests():
url="https://www.google.com"
certfilename="google.crt"
generate_cert_file( certfilename )
response = requests.get( url, verify=False )
print "URL:%s, Verify=False. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=True )
print "URL:%s, Verify=True. Result: %s"%(url, response.status_code )
response = requests.get( url, verify=certfilename )
print "URL:%s, Verify=%s. Result: %s"%(url, certfilename, response.status_code )
def generate_cert_file( filename ):
cert_text=('''\
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIIxZ+YmNtB9AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwOTA5MjI1MzM5WhcNMTUxMjA4MDAwMDAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqH1dz
jOr385g9DXVZowTLkhjCoYGQ/zOLzslSFowYqZnlMiE7iZ8Vm9/iJfhStSMoA6gZ
87uqLENCi3NK+pk4+n1SIPRZS0jorb1jsyenMMy6Fxb9sQe3ndqZpWBtsW5ezW9t
7q5HWA1cNm1KSi2fmwZpDrSaN0TYQdFbRAz6cPf6J/P66qyEC7OInFgLsy4FDdp8
itpjCo/gnk2gz1vpWjiRYLCkz/dlFY3M3kR/s7YcJa7UP7BZ+QmmDfN3y4mxmEfn
Cg8rB25ZbD+oQ+Hua3/oMrx4r3lliou3yrD08/ABEqs16EEPX5wFHtI4CQYAUt5E
rEDl36bpvFD0QkfLAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBQHiMS+8X3+WcfbMQymf9yX9XA1yDAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAUvY5/JbZLfahjC4F
IZU0jVtGRBDa6tXLhCHAdwLHYLQdHn74oQ8Y1vxL0AYd7V2SBAgrDjCoK9bDQbQi
UZ7xwG9K2O75bS2qYc/OlZLJr0Gdfs71ZpQzlv14SGBXvwPuD6noj+hiZjqICd6t
3Rd5oIFiZvkhNDdN6Uag28rIfR8HECdlkbZNZeLZnyoIaxsprANvlEkY0wEbn1K9
kww3/SYKbdPJ8VQSUOtWgGsO1RPFaE4PP7hCg8Q062+mmCs0ZMQSvrzzv7JQsO5J
EkdG6691HdVA6z/rRGGX8E6assTnJLmVMxRayV+Do07KvywLONTInUWue8heHUSX
EHJZbg==
-----END CERTIFICATE-----\
''')
with open(filename, "wb") as output:
output.write(cert_text)
if __name__=='__main__':
run_tests()
Am I doing something wrong here ? (I embedded the cert inline to make the code easier to run without having to provide a separate cert file)
I'm fetched 'requests' down from the git repository - the newest version TAG in the history is V2.7.0, and the latest commit is "46ff1a9a543cc4d33541aa64c94f50f0a698736e"
EDIT: I actually had the wrong certificate here (thanks Steffen Ullrich for pointing this out) : but I have now confirmed I have the correct cert/endpoint: and I get the same error.
I retrieved the cert like this:
openssl s_client -connect www.google.com:443
And just copied the cert details into the python program. The issue is actually happening for my own in-house systems as well - using self-signed certs (which is my real use-case).
Alternatively : where does the 'verify=True' option actually look for trusted certs/CAs ? (On Java it would be 'cacerts' - not sure what the equivalent here is for Python/requests ?).
I'm on a Windows platform here.
回答1:
You are using the certificate which is only valid for www.google.co.uk, but access www.google.com. Thus the certificate can not match at all. And I'm not sure if using the host certificate instead of an issuer certificate (i.e. root CA or intermediate CA) will work at all.
回答2:
Can you try this:
s = Session()
req = Request('POST', 'https://www.google.com')
prepped = s.prepare_request(req)
resp = s.send(prepped, verify=False, cert=CERT_PATH)
if resp.status_code == 200:...
来源:https://stackoverflow.com/questions/32745309/python-requests-ssl-certificate-verify-failed-certificate-verify-failed-s