我无法在带有 Python 2.7.5 的 CeontOS 7 中使用您的库。 我收到此错误:
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
更新 Python 或任何 SSL 库都没有帮助。 我在 CentOS 和 Ubuntu 中遇到此错误,在 Arch Linux 中一切正常。
Needs More Information
pensnarik
所有33条评论
你能告诉我们你是如何安装请求的以及你安装了什么版本吗?
sigmavirus24
于 2016-05-20
这几乎可以肯定是 SNI 问题,因此根据库的安装方式,我们可能需要添加一些可选的依赖项。
Lukasa
于 2016-05-20
requests 通过 pip 安装为 smartsheet-python-sdk 的依赖项:
pip show requests
---
Metadata-Version: 2.0
Name: requests
Version: 2.10.0
Summary: Python HTTP for Humans.
Home-page: http://python-requests.org
Author: Kenneth Reitz
Author-email: [email protected]
Installer: pip
License: Apache 2.0
Location: /usr/lib/python3.4/site-packages
Requires:
Classifiers:
Development Status :: 5 - Production/Stable
Intended Audience :: Developers
Natural Language :: English
License :: OSI Approved :: Apache Software License
Programming Language :: Python
Programming Language :: Python :: 2.6
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
Programming Language :: Python :: 3.3
Programming Language :: Python :: 3.4
Programming Language :: Python :: 3.5
Programming Language :: Python :: Implementation :: CPython
Programming Language :: Python :: Implementation :: PyPy
pip show smartsheet-python-sdk
---
Metadata-Version: 2.0
Name: smartsheet-python-sdk
Version: 1.0.1
Summary: Library that uses Python to connect to Smartsheet services (using API 2.0).
Home-page: http://smartsheet-platform.github.io/api-docs/
Author: Smartsheet
Author-email: [email protected]
Installer: pip
License: Apache-2.0
Location: /usr/lib/python3.4/site-packages
Requires: certifi, requests, six, python-dateutil, requests-toolbelt
Classifiers:
Development Status :: 5 - Production/Stable
Intended Audience :: Developers
Natural Language :: English
Operating System :: OS Independent
License :: OSI Approved :: Apache Software License
Programming Language :: Python
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3.3
Programming Language :: Python :: 3.4
Programming Language :: Python :: 3.5
Programming Language :: Python :: Implementation :: PyPy
Programming Language :: Python :: Implementation :: CPython
Topic :: Software Development :: Libraries :: Python Modules
Topic :: Office/Business :: Financial :: Spreadsheet
在 pip 中删除包并从 yum 安装将无济于事...
pensnarik
于 2016-05-23
@pensnarik你能尝试在你的环境中运行pip install -U requests[security]然后再试一次吗?
Lukasa
于 2016-05-23
👍12
🎉1
谢谢你,卢卡萨,你的建议,但它没有帮助......
[mutex<strong i="6">@unica1</strong> parser]$ sudo pip install -U requests[security]
[sudo] password for mutex:
Collecting requests[security]
Using cached requests-2.10.0-py2.py3-none-any.whl
Collecting pyOpenSSL>=0.13 (from requests[security])
Using cached pyOpenSSL-16.0.0-py2.py3-none-any.whl
Collecting ndg-httpsclient (from requests[security])
Requirement already up-to-date: pyasn1 in /usr/lib/python2.7/site-packages (from requests[security])
Collecting cryptography>=1.3 (from pyOpenSSL>=0.13->requests[security])
Using cached cryptography-1.3.2.tar.gz
Requirement already up-to-date: six>=1.5.2 in /usr/lib/python2.7/site-packages (from pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: idna>=2.0 in /usr/lib/python2.7/site-packages (from cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: setuptools>=11.3 in /usr/lib/python2.7/site-packages (from cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: enum34 in /usr/lib/python2.7/site-packages (from cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: ipaddress in /usr/lib/python2.7/site-packages (from cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: cffi>=1.4.1 in /usr/lib64/python2.7/site-packages (from cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Requirement already up-to-date: pycparser in /usr/lib/python2.7/site-packages (from cffi>=1.4.1->cryptography>=1.3->pyOpenSSL>=0.13->requests[security])
Building wheels for collected packages: cryptography
Running setup.py bdist_wheel for cryptography ... done
Stored in directory: /root/.cache/pip/wheels/14/df/02/611097a49d7739151deb68d0172dff5ae7cba01b82769e56ef
Successfully built cryptography
Installing collected packages: cryptography, pyOpenSSL, ndg-httpsclient, requests
Found existing installation: requests 2.6.0
DEPRECATION: Uninstalling a distutils installed project (requests) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling requests-2.6.0:
Successfully uninstalled requests-2.6.0
Successfully installed cryptography-1.3.2 ndg-httpsclient-0.4.0 pyOpenSSL-16.0.0 requests-2.10.0
You are using pip version 8.1.0, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
[mutex<strong i="7">@unica1</strong> parser]$ ./update_region_price.py
Traceback (most recent call last):
File "./update_region_price.py", line 129, in <module>
sys.exit(app.run(sys.argv))
File "./update_region_price.py", line 122, in run
self.update_basic()
File "./update_region_price.py", line 65, in update_basic
sheet = self.sm.Sheets.get_sheet(self.sheet_id, page_size=5000)
File "/usr/lib/python2.7/site-packages/smartsheet/sheets.py", line 460, in get_sheet
response = self._base.request(prepped_request, expected, _op)
File "/usr/lib/python2.7/site-packages/smartsheet/smartsheet.py", line 178, in request
res = self.request_with_retry(prepped_request, operation)
File "/usr/lib/python2.7/site-packages/smartsheet/smartsheet.py", line 242, in request_with_retry
return self._request(prepped_request, operation)
File "/usr/lib/python2.7/site-packages/smartsheet/smartsheet.py", line 208, in _request
res = self._session.send(prepped_request, stream=stream)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
你能告诉我你连接的是什么主机吗?
Lukasa
于 2016-05-23
Lukasa,当然: https ://api.smartsheet.com/2.0 ,我正在使用 python 包装器进行 smartsheet API (https://github.com/smartsheet-platform/smartsheet-python-sdk)。
pensnarik
于 2016-05-23
您是否碰巧在您的环境中安装了certifi ?
Lukasa
于 2016-05-23
是的,我有:
[mutex<strong i="6">@unica1</strong> parser]$ pip show certifi
---
Metadata-Version: 2.0
Name: certifi
Version: 2016.2.28
Summary: Python package for providing Mozilla's CA Bundle.
Home-page: http://certifi.io/
Author: Kenneth Reitz
Author-email: [email protected]
Installer: pip
License: ISC
Location: /usr/lib/python2.7/site-packages
Requires:
Classifiers:
Development Status :: 5 - Production/Stable
Intended Audience :: Developers
Natural Language :: English
Programming Language :: Python
Programming Language :: Python :: 2.5
Programming Language :: Python :: 2.6
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3.0
Programming Language :: Python :: 3.1
Programming Language :: Python :: 3.2
Programming Language :: Python :: 3.3
Programming Language :: Python :: 3.4
啊哈,好的,我们到了。
api.smartsheet.com使用所谓的“交叉签名证书”为其 TLS 提供服务。 之所以使用它,是因为api.smartsheet.com的 CA 威瑞信最初使用的是 1024 位根证书。 这些已被弃用并被更强大的根证书取代,但一些较旧的浏览器和系统可能没有收到更新,因此像api.smartsheet.com这样的网站提供由 1024 位根签名的根证书。
这通常不是问题,_except_:
certifi删除了弱的 1024 位根- 早于 1.0.2 的 OpenSSL 在构建证书链方面很糟糕,因此无法正确验证交叉签名的根。
您可以通过两种方式解决此问题。 第一种更好但更激进的方法是将您的 OpenSSL 升级到 1.0.2 或更高版本。 恐怕这在 Centos 上很难做到。 不太好但更有效的方法是获取运行python -c "import certifi; print certifi.old_where()"的输出,然后将REQUESTS_CA_BUNDLE环境变量设置为打印路径。
Lukasa
于 2016-05-23
👍12
🎉4
❤1
啊,smartsheet SDK 通过显式使用 certifi 覆盖该环境变量。
新计划。 在您导入 smartsheet 之后,在您做任何其他事情之前,您可以添加以下几行吗?
import smartsheet.session
import certifi
smartsheet.session._TRUSTED_CERT_FILE = certifi.old_where()
这应该会有所帮助。 您不应该使用这种方法需要环境变量。
Lukasa
于 2016-05-23
👍1
不幸的是,即使我在 /usr/lib/python2.7/site-packages/smartsheet/session.py 中更改这一行,它也不起作用:
_TRUSTED_CERT_FILE = certifi.where()
到
_TRUSTED_CERT_FILE = certifi.old_where()
当我从我的代码中更改此 var 时,它也无济于事...
pensnarik
于 2016-05-23
在这一点上,我非常确信这不是请求中的错误,实际上是 smartsheet API 包装器的问题。 你有没有试过向他们报告这个?
sigmavirus24
于 2016-05-23
嗯。 您确信该代码正在执行吗? 你能用打印语句来确认它正在被使用吗?
Lukasa
于 2016-05-23
将证书从 2015.11.20.1 降级到 2015.4.28 解决了问题!
pensnarik
于 2016-06-03
👍5
ubuntu@ip-172-31-58-148 :~/requests$ 清除
ubuntu@ip-172-31-58-148 :~/requests$ python
Python 2.7.6(默认,2015 年 6 月 22 日,17:58:13)
[GCC 4.8.2] 在 linux2 上
输入“帮助”、“版权”、“信用”或“许可”以获取更多信息。
进口请求
requests.get('https://logo.clearbit.com/beutifi.com')
requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: 已发出 HTTPS 请求,但此平台上不提供 TLS 的 SNI(主题名称指示)扩展。 这可能会导致服务器提供不正确的 TLS 证书,从而导致验证失败。 您可以升级到更新版本的 Python 来解决此问题。 有关更多信息,请参阅https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning。
SNIMissingWarning
requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: 一个真正的 SSLContext 对象不可用。 这会阻止 urllib3 正确配置 SSL,并可能导致某些 SSL 连接失败。 您可以升级到更新版本的 Python 来解决此问题。 有关更多信息,请参阅https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning。
不安全平台警告
回溯(最近一次调用最后一次):
文件 ”",第 1 行,在
文件“requests/api.py”,第 71 行,在 get 中
返回请求('get', url, params=params, *_kwargs)
请求中的文件“requests/api.py”,第 57 行
返回 session.request(method=method, url=url, *_kwargs)
请求中的文件“requests/sessions.py”,第 477 行
resp = self.send(prep, *_send_kwargs)
文件“requests/sessions.py”,第 587 行,发送
r =adapter.send(request, *_kwargs)
文件“requests/adapters.py”,第 491 行,发送
引发 SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:510: error:14077410 :SSL例程:SSL23_GET_SERVER_HELLO :sslv3 警报握手失败
这是我对这个问题的投入。 每个 https 请求都不会发生这种情况。
sProject
于 2016-07-04
@sProject您需要先解决这两个警告,然后我们才能确定您是否有新问题。 如果您收到来自 pip 的请求,请运行pip install pyopenssl pyasn1 ndg-httpsclient 。 如果你从你的系统供应商那里得到 Requests,你应该从那里安装这三个包。
Lukasa
于 2016-07-04
👍2
这个错误似乎已经在两个月前解决了。 如果我在这个结论中不正确并且在请求中仍然存在错误,我很乐意重新打开它。
感谢大家对请求的合作!
sigmavirus24
于 2016-09-06
来自pygodaddy的示例引发了相同的异常
from pygodaddy import GoDaddyClient
client = GoDaddyClient()
if client.login(login[0],login[1]):
print client.find_domains()
else: print 'falhou'
$ ./dynip.py
Traceback (most recent call last):
File "./dynip.py", line 8, in <module>
if client.login(login[0],login[1]):
File "/usr/lib/python2.7/site-packages/pygodaddy/client.py", line 99, in login
r = self.session.get(self.default_url)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
降级CERTIFI通过@pensnarik的建议不能解决问题。 这是 Fedora 24,Python 2.7.12。
# pip list
Babel (2.3.4)
beautifulsoup4 (4.5.1)
blinker (1.4)
certifi (2016.9.26)
cffi (1.9.1)
chardet (2.3.0)
click (6.6)
cryptography (1.5.3)
cssselect (0.9.2)
decorator (4.0.10)
django-htmlmin (0.9.1)
dnspython (1.14.0)
enum34 (1.1.6)
extras (1.0.0)
first (2.0.1)
fixtures (3.0.0)
Flask (0.11.1)
Flask-Babel (0.11.1)
Flask-Gravatar (0.4.2)
Flask-Login (0.3.2)
Flask-Mail (0.9.1)
Flask-Principal (0.4.0)
Flask-Security (1.7.5)
Flask-SQLAlchemy (2.1)
Flask-WTF (0.12)
gps (3.16)
gssapi (1.2.0)
html5lib (1.0b3)
idna (2.1)
importlib (1.0.4)
iniparse (0.4)
ipaclient (4.3.2)
ipaddress (1.0.17)
ipalib (4.3.2)
ipaplatform (4.3.2)
ipapython (4.3.2)
itsdangerous (0.24)
Jinja2 (2.8)
jwcrypto (0.3.2)
kitchen (1.2.4)
linecache2 (1.0.0)
lockfile (0.12.2)
lxml (3.6.4)
M2Crypto (0.25.1)
MarkupSafe (0.23)
munch (2.0.4)
ndg-httpsclient (0.4.2)
netaddr (0.7.18)
nose (1.3.7)
numpy (1.11.1)
passlib (1.6.5)
pbr (1.10.0)
pif (0.7.3)
Pillow (3.3.1)
pip (8.1.2)
pip-tools (1.7.0)
ply (3.9)
psutil (4.3.0)
psycopg2 (2.6.2)
pwquality (1.3.0)
pyasn1 (0.1.9)
pyasn1-modules (0.0.8)
pycparser (2.17)
pycrypto (2.6.1)
pycurl (7.43.0)
pygobject (3.20.1)
pygodaddy (0.2.2)
pygpgme (0.3)
pyliblzma (0.5.3)
pyOpenSSL (16.2.0)
pyrsistent (0.11.13)
PySocks (1.5.7)
python-dateutil (2.5.3)
python-fedora (0.8.0)
python-ldap (2.4.27)
python-mimeparse (1.5.2)
python-nss (1.0.0)
python-yubico (1.3.2)
pytz (2016.6.1)
pyusb (1.0.0)
pyxattr (0.5.5)
qrcode (5.3)
reportlab (3.3.0)
requests (2.12.1)
requests-file (1.4.1)
rpm-python (4.13.0)
scdate (1.10.9)
setuptools (28.8.0)
simplejson (3.8.2)
six (1.10.0)
slip (0.6.4)
speaklater (1.3)
SQLAlchemy (1.0.14)
sqlparse (0.2.1)
SSSDConfig (1.14.2)
Terminator (0.98)
testscenarios (0.5.0)
testtools (2.2.0)
tldextract (2.0.2)
traceback2 (1.4.0)
typing (3.5.2.2)
uniconvertor (2.0)
unittest2 (1.1.0)
urlgrabber (3.10.1)
urllib3 (1.16)
Werkzeug (0.11.11)
WTForms (2.1)
yum-metadata-parser (1.1.4)
ClodoaldoPinto
于 2016-11-16
GoDaddy 为您提供不完整的证书链。 这意味着我们缺少其中一个中间证书并且无法建立信任链。 您要么需要将缺少的中间证书添加到证书信任库,要么需要联系 GoDaddy 并告诉他们解决问题。
Lukasa
于 2016-11-16
👍1
@Lukasa如何检查问题是否与请求或证书颁发者有关?
我有一个由 Entrust 颁发的证书,当我浏览到 URL 时,我的浏览器对它非常满意。
但是当我尝试通过请求访问该 URL 时,我有[SSL: CERTIFICATE_VERIFY_FAILED]
完整追溯
$ python main.py
Traceback (most recent call last):
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn
conn.connect()
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 376, in wrap_socket
_context=self)
File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 747, in __init__
self.do_handshake()
File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 983, in do_handshake
self._sslobj.do_handshake()
File "/usr/local/Cellar/python3/3.5.1/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 628, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "main.py", line 64, in <module>
r = s.get('https://infoproducts.alcatel-lucent.com/cgi-bin/get_doc_list.pl?entry_id=1-0000000000662&srch_how=&srch_str=&release=&model=&category=&contype=&format=&sortby=&how=all_prod',
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/sessions.py", line 501, in get
return self.request('GET', url, **kwargs)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/Users/romandodin/venvs/nokdok/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
安装包
$ pip list
certifi (2016.9.26)
pip (9.0.1)
requests (2.12.4)
setuptools (32.3.1)
wheel (0.29.0)
证书详情
Subject infoproducts.alcatel-lucent.com
SAN infoproducts.alcatel-lucent.com
documentation.alcatel-lucent.com
Valid From Thu, 01 Dec 2016 13:15:08 GMT
Valid Until Sat, 01 Dec 2018 13:45:07 GMT
Issuer Entrust Certification Authority - L1K
hellt
于 2017-01-03
问题几乎肯定不在于发行者,而在于您的服务器。 你能告诉我在你的服务器上运行openssl s_client -connect "<your-host>:<your-port>" -showcerts -servername "<your-host>"的输出吗?
Lukasa
于 2017-01-03
我不确定我是否正确使用了命令,但这是有道理的:
$ openssl s_client -connect "infoproducts.alcatel-lucent.com:443" -showcerts -servername "infoproducts.alcatel-lucent.com"
CONNECTED(00000003)
depth=0 /C=US/ST=Illinois/L=Naperville/O=Alcatel-Lucent USA Inc./CN=infoproducts.alcatel-lucent.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Illinois/L=Naperville/O=Alcatel-Lucent USA Inc./CN=infoproducts.alcatel-lucent.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Illinois/L=Naperville/O=Alcatel-Lucent USA Inc./CN=infoproducts.alcatel-lucent.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Illinois/L=Naperville/O=Alcatel-Lucent USA Inc./CN=infoproducts.alcatel-lucent.com
i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
-----BEGIN CERTIFICATE-----
MIIFeDCCBGCgAwIBAgIRAO3KTvH+nKgrAAAAAFDanDYwDQYJKoZIhvcNAQELBQAw
gboxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQL
Ex9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykg
MjAxMiBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxLjAs
BgNVBAMTJUVudHJ1c3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBMMUswHhcN
MTYxMjAxMTMxNTA4WhcNMTgxMjAxMTM0NTA3WjCBgTELMAkGA1UEBhMCVVMxETAP
BgNVBAgTCElsbGlub2lzMRMwEQYDVQQHEwpOYXBlcnZpbGxlMSAwHgYDVQQKExdB
bGNhdGVsLUx1Y2VudCBVU0EgSW5jLjEoMCYGA1UEAxMfaW5mb3Byb2R1Y3RzLmFs
Y2F0ZWwtbHVjZW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK23xiJ/GCWNJa8Oa6SAYwT7QTmIJOXGrfLLZM9ZWDK81SVLm5xUAVRYaYmb3t/U
KpzeUoL+cJIa2xJGdbj50ehUTbB3SOXW7dxr15fuWahSChqaNkI/NClNAxy2Vho5
HxEtsjmuoJ0cNRcZLHZndLtWi27js3ivGxFxUcl7O3rGGj9yb+XXwJvEOsITPfZ/
gpURnHfAurZrw1+xpsArQVOF6+K6KkPnjGoCj0XCyU3LnWc6akcwwwV+HXcW8H5G
/CPvcm3DpI+45v/P2vVJ9+LiEJVHngVYK2QQ8fMDrvS2vs563I4PLnnRds0eOJph
LfHmn87oSW5jCP3RnsW0czECAwEAAaOCAa4wggGqMA4GA1UdDwEB/wQEAwIFoDAT
BgNVHSUEDDAKBggrBgEFBQcDATAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LmVudHJ1c3QubmV0L2xldmVsMWsuY3JsMEsGA1UdIAREMEIwNgYKYIZIAYb6bAoB
BTAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZn
gQwBAgIwaAYIKwYBBQUHAQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5l
bnRydXN0Lm5ldDAzBggrBgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9s
MWstY2hhaW4yNTYuY2VyMEwGA1UdEQRFMEOCH2luZm9wcm9kdWN0cy5hbGNhdGVs
LWx1Y2VudC5jb22CIGRvY3VtZW50YXRpb24uYWxjYXRlbC1sdWNlbnQuY29tMB8G
A1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBT9w+iH+fpG
UJ0IMw1vVpn+91hk6jAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgOcDq
0YsihBWAxA4WFIGkdB/JdOKLRQ0Hvc7KStgtdkB1AqkUv7oBnDCHesazw4vyWbjv
w7dBTtB95jq1ZHX6eHyUDUo2xBmjnaeb2lSAdVV6j10sl7lMfRQh7ba1Im0ibhfe
7gvBn0tUlmdGqqvDqokzV4lVX74Z9nKKKr5D9e3vJsb5AvbDC/eYguBK9Oy8EDa2
ZcuPve3mB68lVy5UDg21RVZE072qC0FlYhNasZlMVUUg7tgDMlynQeeoxHe7Rcic
pHANQxJqtN8/bsE2mO/ryRZALyC7mWeDvG522ZXMaKslwTUr+jokpyUF7tS786Pi
n4zJ/KNZK2suVwcK
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Illinois/L=Naperville/O=Alcatel-Lucent USA Inc./CN=infoproducts.alcatel-lucent.com
issuer=/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K
---
No client certificate CA names sent
---
SSL handshake has read 1556 bytes and written 466 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 48D3C9611E37C997182C4F123E21BCFD909D8D4BE887B44355866B80D44E1163
Session-ID-ctx:
Master-Key: 0A4A9E2A10E33EAA248541C39AC71F2F879310BAE141A4EA26F425D56C27099FB6D6572C2CCFC763FC743ECF99DABB5B
Key-Arg : None
Start Time: 1483448892
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
closed
是的,所以服务器是错误的。
这是 TLS 的一个非常常见的问题。 TLS 证书验证是通过首先构建一个证书链来执行的,该
在大多数情况下,这条链的长度超过两步:也就是说,叶子不是由根签名,而是由所谓的中间证书签名。 该中间体本身可能由根签名,但也可能由其他中间体签名,直到我们最终到达由根签名的中间体。
例如,对于https://python-hyper.org ,链如下:
- python-hyper.org,我申请并发布的“叶子”
- Let's Encrypt Authority X3,Let's Encrypt 项目使用的中间证书
- DST Root CA X3,我的网络浏览器(和请求)信任的根证书
您正在访问的网站的正确链应该是:
- infoproducts.alcatel-lucent.com,叶子
- 委托证书颁发机构 - L1K,颁发叶子的中间证书
- 委托根证书颁发机构 - G2,颁发中间证书的根证书
对于您的用例,Requests 在其信任数据库中附带证书编号 3 作为受信任的根。 但是,您的服务器仅发送证书编号 1。如果没有证书 2,请求就无法从证书 1 转到证书 3,并且服务器不会发送它。 大多数浏览器都附带常用的中间证书,或者可以维护它们的缓存,但请求不能这样做,所以它无法获得证书 2。没有证书 2,验证必须失败。
正确配置的 TLS 服务器发送叶证书和所有必要的中介。 这是为了确保从未见过中介且无法动态获取它们的客户端仍然能够验证链。 作为比较,请查看像您这样针对python-hyper.org运行的命令的输出:
% openssl s_client -connect python-hyper.org:443 -showcerts -servername "python-hyper.org"
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=python-hyper.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgISAwji03rFoFMPZnEC0rLc7jg3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAxMDExMjA4MDBaFw0x
NzA0MDExMjA4MDBaMBsxGTAXBgNVBAMTEHB5dGhvbi1oeXBlci5vcmcwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjF6VMEOe2qHsdbAnYstunDCW5/fBx
yhzNAxSqZKA5qfATdvhDmiPFnHJkQgUkUeGDwbBwemxuUFUaGZKTJDRhlrymLSkN
hkcouBzs/mxDjNlKacokJBm3hpu+oxYohhxPIZBs8NM4olUPDSG68r6sd1EwR+Ia
Lw//nRsMpcrGNmYy+howiBvV3CbuYsbgB59bJ+5y6G2ZqeHMwzFZ+No1oQmBck9T
KAvCh5TteQphzcM9s9NZiB6Z9C0s+vBPKOc1uLssCI3hfr29Af203CX2xgyBjXH7
M4WS17o1zLgs3Q2V03gQ7AmhtgjuJ+2NRf/d6Bsmk8ZhGnyyf+qbY+G/AgMBAAGj
ggIRMIICDTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMD50AC8wul1eNKkGVxaAvXb
DSkDMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEB
BGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBsGA1UdEQQUMBKCEHB5dGhvbi1oeXBlci5vcmcwgf4GA1UdIASB9jCB
8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENl
cnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFy
dGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRl
IFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0
b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAgX00tBHyz9GiDQjw+Id7sbT1lrtHrmtR
DB+kofnq9pkwIExDXT0bAZ14EnU6atiVqhF3j3KxvxIfbNvmSr7emmhPwt+KqOf7
/1m+gxg3ode9LIg6oLtVOfulecxkS4/Wj990O40vuRNdy4XT4PSNze8iuJtGALoS
U9kP8G/V6VnrdbTYhSIIUW9nm0XQcOUbvupFWtiwE8vZw4t0pQloeECdMuALgVO/
1xSu0kqZgidLOkFwei/xqItx7foREzVvq3kUHD1OAuPI1azHQjErQC3N12OmxmBU
3KDOsaJC2Uu8fqI/y1YOkO97hpsgFZX4BiQNaNhtyy7sscD/teVhWQ==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=python-hyper.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 2638 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: BBDF2CA65B2142C1F0C416B28C4FDF8FD5118ED4D5FF8802789D0B54C6309469
Session-ID-ctx:
Master-Key: BD9B8B97EC439248CC5849EBF4B2ED18E0A73472EB8D86FE6F038C4E6944AFD8A163D80D47A3A3B28A6237A44C1B31CE
Key-Arg : None
Start Time: 1483447980
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
请注意,在我的情况下,服务器发送了两个证书,而在您的情况下,它只发送了一个。
这是错误。 请重新配置您的服务器以发送所有相关中介以及叶子。
当我在这里时,我应该注意到在您的服务器上运行 Qualys SSL Labs 也会告诉您这个问题。 =)
Lukasa
于 2017-01-03
👍8
感谢@Lukasa为您提供的教育回复! 真的很感激也很抱歉给这个问题带来麻烦,这是我的 TLS-knowledge-gap =) 主要是我遇到了问题,因为 in 在浏览器中一切都很好,并且在请求中不起作用。 但现在我很清楚根本原因是什么。
我相信对于这种情况没有解决方法(预先下载中间证书),但是要重新配置服务器? 暂时我将跳过验证检查
hellt
于 2017-01-03
@helt无需道歉:这是一件非常不明显的事情,而且这是一个非常常见的错误,因此您在这里相处得很好。 =)
事实上,有一个解决方法。 您可以将证书包传递给verify以覆盖 certifi 包的使用。 除了根证书之外,此捆绑包还可以包含可供 OpenSSL 用于构建链的中间证书。 因此,您可以做的是获取 certifi 证书链(该链位于您可以通过运行python -c 'import certifi; print(certifi.where())'找到的文件中,将其复制到文件系统上的其他位置,然后将中间证书添加到该文件的结尾。中间必须是 PEM 格式。如果然后将新证书包的路径传递给verify kwarg,你会发现一切都开始工作了。
Lukasa
于 2017-01-03
卢卡,
如果我收到此类错误怎么办?
pip 安装证书
领取证书
无法获取 URL https://pypi.python.org/simple/certifi/ :确认 ssl 证书时出现问题:[Errno 2] 没有这样的文件或目录 - 跳过
找不到满足证书要求的版本(来自版本:)
没有找到证书的匹配分布
问
QuarantineENG
于 2017-03-02
似乎您在验证来自 PyPI 的 TLS 证书时遇到问题。 但是,该错误消息有点令人惊讶。 我不完全知道它来自哪里,但它表明 pip 的配置方式或 Python 存在问题。 使用其他python包是否遇到类似错误?
Lukasa
于 2017-03-02
大家好,
我正在尝试在我组织的内部网中使用 Python 进行 kerberos 身份验证,但收到此错误。
进口请求
从 requests_kerberos 导入 HTTPKerberosAuth
r = requests.get("https: * * * * * ", auth=HTTPKerberosAuth())
SSLError: ("握手错误:错误([('SSL 例程', 'ssl3_get_server_certificate', '证书验证失败')],)",)
有谁知道如何为 Python 添加证书? 这有助于解决这个问题吗?
ajitmuley5
于 2017-10-10
@ajitmuley5在您使用请求时,诸如您的问题属于 StackOverflow。 请在那里张贴所需的详细信息。 有些人会很乐意帮助您,而无需开始讨论旧的和封闭的问题。
sigmavirus24
于 2017-10-10
@Lukasa谢谢! sudo pip install -U requests[security] 对我有用。
yk2kus
于 2017-12-04
👍1
谢谢大家,我有一些想法!
nickliqian
于 2018-03-07
此页面是否有帮助?
0 / 5 - 0 等级
相关问题
xsren
·
3评论
ghtyrant
·
3评论
jakul
·
3评论
iLaus
·
3评论
thadeusb
·
3评论
最有用的评论
啊哈,好的,我们到了。
api.smartsheet.com使用所谓的“交叉签名证书”为其 TLS 提供服务。 之所以使用它,是因为api.smartsheet.com的 CA 威瑞信最初使用的是 1024 位根证书。 这些已被弃用并被更强大的根证书取代,但一些较旧的浏览器和系统可能没有收到更新,因此像api.smartsheet.com这样的网站提供由 1024 位根签名的根证书。这通常不是问题,_except_:
certifi删除了弱的 1024 位根您可以通过两种方式解决此问题。 第一种更好但更激进的方法是将您的 OpenSSL 升级到 1.0.2 或更高版本。 恐怕这在 Centos 上很难做到。 不太好但更有效的方法是获取运行
python -c "import certifi; print certifi.old_where()"的输出,然后将REQUESTS_CA_BUNDLE环境变量设置为打印路径。