這是previous SO post的後續操作。即使證書鏈更新,Python(pip)也會拋出[SSL:CERTIFICATE_VERIFY_FAILED]
我正在使用Windows/cygwin,並且我需要python來理解定製的CA證書,因爲網絡基礎架構會將所有SSL請求與其自己的證書分開。
如果我嘗試運行pip search SimpleHTTPServer
,我得到了以下錯誤消息:
- 複製:
... File "c:\users\erbe\appdata\local\programs\python\python35-32\lib\ssl.py", line 633, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
我已經做了以下嘗試將證書添加到我的名單可信證書我的.pem文件到/ etc/PKI/CA-信任/源/錨
update-ca-trust extract
我已驗證這工作,因爲我現在能不能給點生成的PEM文件和PIP成功運行:pip --cert /usr/local/ssl/cert.pem search SimpleHTTPServer
:
$ pip --cert tls-ca-bundle.pem search SimpleHTTPServer
ComplexHTTPServer (0.1) - A Multithreaded Python SimpleHTTPServer
SimpleTornadoServer (1.0) - better SimpleHTTPServer using tornado
rangehttpserver (1.2.0) - SimpleHTTPServer with support for Range requests
不過,我想這無需手動指定證書每一次工作。我希望能更新證書鏈是Python使用:
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
我已驗證通過一系列符號鏈接,即/usr/local/ssl/cert.pem指向同一個文件。但是,如果我執行pip
,我仍然會收到[SSL: CERTIFICATE_VERIFY_FAILED]
錯誤消息。
我卸載了Windows版本的python,並重新安裝了Cygwin版本的python。有了它,我跑了easy_install-2.7 pip
。現在,至少我能沒有一條錯誤信息,以執行與完整的證書路徑PIP:
$ pip --cert /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem search simpleHttpServer
LittleHTTPServer (0.5.0) - Little bit extended SimpleHTTPServer
SimpleHTTP404Server (0.2.0) - A Python SimpleHTTPServer, but serves 404.html if a page is not found.
django-localsrv (0.1.2) - Django app for serving static content from different sources (files, strings, urls, etc.) at custom paths,
爲了安全起見,我也嘗試過更新SSL_CERT_DIR varaible指向到/ etc/PKI/CA-取信提取/ PEM並設置內的ssl_cert_file到/etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem但這些不工作:
$ set | grep SSL
SSL_CERT_DIR=/etc/pki/ca-trust/extracted/pem
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem', capath='/etc/pki/ca-trust/extracted/pem', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/ssl/certs')
$ pip search simpleHttpServer
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/basecommand.py", line 215, in main
status = self.run(options, args)
...
...
File "/usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
我在做什麼錯?這是一個cygwin vs Windows問題嗎?我需要更新哪些PEM文件?
哪個點子版本? –
我正在使用pip 8.1.2。 'pip 8.1.2從/ usr/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg' –
@KlausD。我更新了我的問題,以表明我已經刪除了Windows Python並僅通過cygwin安裝它,但無濟於事。 –