Python using system SSL certificates?

感情迁移 提交于 2020-12-30 08:56:33

问题


I ran into the recent Authorize.net SSL certificate invalidation debacle last week.

I've been able to get curl to accept their certificate finally:

$ curl -Iv https://secure.authorize.net
...
*  SSL certificate verify ok.
...

but python is still rejecting it with requests:

>>> requests.get('https://secure.authorize.net', verify=True)
...
  InsecurePlatformWarning

and in my code:

File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Can anyone tell me why python doesn't seem to be using the system certificates for validation? Any ideas on a fix?

EDIT

I am using Ubuntu and installed the certificate this way:

sudo curl -o /usr/local/share/ca-certificates/entrust_ssl_ca.crt https://www.entrust.net/downloads/binary/entrust_ssl_ca.cer
sudo update-ca-certificates

after running this, curl worked properly, but python still didn't recognize the certificate.


回答1:


You don't mention what OS you're using or where you installed the certificates to make them available to Curl.

I used strace on my system to see where Python is looking for certificates. On my Fedora system Python is using/etc/pki/tls/certs/ca-bundle.crt, which is the standard location on Fedora, Red Hat, and similar systems.

On Ubuntu, Python is looking in /etc/ssl/certs/ca-certificates.crt.

According to the documentation:

You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs. This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.

...so you could provide your application with a list of CA certificates that is independent of what is installed on the system.

Update

Running openssl s_client -showcerts -connect secure.authorize.net:443 shows that the *.authorize.net certificate is signed by the "Entrust Certification Authority - L1K" certificate, which is signed by the "Entrust Root Certification Authority - G2" certificate, which is signed by the "Entrust Root Certification Authority" certificate. The certificate you have installed as entrust_ssl_ca.crt is the "Entrust.net Secure Server Certification Authority", which is "none of the above".

I would just visit http://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads/ and download everything, but the top-level certificate in the above chain is this one. That's the second certificate listed on the downloads page.



来源:https://stackoverflow.com/questions/30577392/python-using-system-ssl-certificates

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!