我正在尝试通过请求库将HTTP请求发送到服务器(只能从特定网络访问,因此所有名称都组成了),但是我收到SSL错误。
我的代码:
site_auth = HTTPBasicAuth("user", "password") response = requests.get("https://my.hidden.site.com", auth=site_auth , verify="location/src/mycertfile.pem")
我也尝试过这个:
site_auth = HTTPBasicAuth("user", "password") response = requests.get("https://my.hidden.site.com", auth=site_auth , verify=True, cert="location/src/mycertfile.pem")
但是结果是相同的堆栈跟踪。
Stacktrace:
Traceback (most recent call last): File "location\.venv\lib\site-packages\urllib3\connectionpool.py", line 670, in urlopen httplib_response = self._make_request( File "location\.venv\lib\site-packages\urllib3\connectionpool.py", line 381, in _make_request self._validate_conn(conn) File "location\.venv\lib\site-packages\urllib3\connectionpool.py", line 976, in _validate_conn conn.connect() File "location\.venv\lib\site-packages\urllib3\connection.py", line 361, in connect self.sock = ssl_wrap_socket( File "location\.venv\lib\site-packages\urllib3\util\ssl_.py", line 377, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=server_hostname) File "C:\Users\Adam\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "C:\Users\Adam\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create self.do_handshake() File "C:\Users\Adam\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "location\.venv\lib\site-packages\requests\adapters.py", line 439, in send resp = conn.urlopen( File "location\.venv\lib\site-packages\urllib3\connectionpool.py", line 724, in urlopen retries = retries.increment( File "location\.venv\lib\site-packages\urllib3\util\retry.py", line 439, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='my.hidden.site.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)'))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "location/main_playground.py", line 15, in <module> response = requests.get("https://my.hidden.site.com", auth=rt_auth, verify="location/mycertfile.pem") File "location\.venv\lib\site-packages\requests\api.py", line 76, in get return request('get', url, params=params, **kwargs) File "location\.venv\lib\site-packages\requests\api.py", line 61, in request return session.request(method=method, url=url, **kwargs) File "location\.venv\lib\site-packages\requests\sessions.py", line 530, in request resp = self.send(prep, **send_kwargs) File "location\.venv\lib\site-packages\requests\sessions.py", line 643, in send r = adapter.send(request, **kwargs) File "location\.venv\lib\site-packages\requests\adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='my.hidden.site.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
我正在使用这些版本的库:
requests==2.23.0 urllib3==1.25.9
我已经用Google搜索了很多,但对我没有用。我已经手动下载了证书链,并创建了我的.pem文件,并使用openssl verify检查了该文件。我里面有3个证书,并按照从上到下的顺序从根到目标站点进行排序:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
奇怪的是,即使没有.pem文件和显式启用的证书,urrlib3仍然可以正常工作,代码:
http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED') r = http.request('GET', "https://my.hidden.site.com", fields={'user': "user", 'pass': "password"}) print(r) print(r.data.decode('utf-8'))
另一个奇怪的是,curl默认情况下不起作用,但是在提供.pem文件时它应该像应该的那样工作,所以请求也应该如此,对吧?
curl https://my.hidden.site.com --cacert mycertfile.pem
我也尝试过邮递员,但即使在设置中选择了.pem文件,他也不起作用。
Could not get any response There was an error connecting to https://my.hidden.site.com.
我也尝试在计算机(Windows 10)上安装根证书和中间证书,但这没有效果。有谁知道什么是错的,或者下一步我应该检查什么?
感谢您的帮助
//编辑1
我已经通过使用此命令并从中提取3个密钥来创建证书链。我已经更改了.pem文件的顺序,就像我已经提到的那样,因此根CA的密钥将在.pem文件中排在第一位,中间是第二位,而my.hidden.site.com的密钥在第三位。
我看到有几行无法获得本地发行者证书
验证错误:num = 21:无法验证第一个证书,但我不知道这是否是一个问题,或者可能缺少某些内容。$ openssl s_client -showcerts -connect my.hidden.site.com:443
CONNECTED(0000017C)
---
Certificate chain
0 s:SECRET LINE my.hidden.site.com
i:SECRET LINE intermediate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
1 s:SECRET LINE intermediate
i:SECRET LINE root ca
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2 s:SECRET LINE root ca
i:SECRET LINE root ca
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=SECRET LINE my.hidden.site.com
issuer=SECRET LINE intermediate
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4618 bytes and written 444 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: <HIDDEN_SESSION_ID>
Session-ID-ctx:
Master-Key: <HIDDEN_MASTER_KEY>
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
<HIDDEN_SESSION_TICKET>
Start Time: 1588693969
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed
depth=0 HIDDEN DETAILS, CN = my.hidden.site.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 HIDDEN DETAILS CN = my.hidden.site.com
verify error:num=21:unable to verify the first certificate
verify return:1
我正在尝试通过请求库将HTTP请求发送到服务器(只能从特定网络访问,因此所有名称都组成了),但是我收到SSL错误。我的代码:site_auth = HTTPBasicAuth(“ user”,...
requests.get("https://my.hidden.site.com", auth=site_auth , verify=True, cert="location/src/mycertfile.pem")