我是一家拥有自签名证书的公司代理,我想通过
tensorstore
安装 pip
。 pip
显然会下载并运行一个 Python 脚本 bazelisk.py
,而该脚本又使用 urllib
从互联网上获取更多内容。但是,此操作失败并显示 CERTIFICATE_VERIFY_FAILED
错误消息:
$ pip install --trusted-host=example.com --index-url=http://example.com/pypi/simple
...
Downloading https://releases.bazel.build/6.4.0/release/bazel-6.4.0-linux-arm64...
Traceback (most recent call last):
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 1285, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 1331, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 1280, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 1040, in _send_output
self.send(msg)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 980, in send
self.connect()
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/http/client.py", line 1454, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/tmp/pip-install-ycop_psv/tensorstore_1008eee73d464825b2e191c044b9e306/bazelisk.py", line 492, in <module>
sys.exit(main())
File "/tmp/pip-install-ycop_psv/tensorstore_1008eee73d464825b2e191c044b9e306/bazelisk.py", line 477, in main
bazel_path = get_bazel_path()
File "/tmp/pip-install-ycop_psv/tensorstore_1008eee73d464825b2e191c044b9e306/bazelisk.py", line 470, in get_bazel_path
return download_bazel_into_directory(bazel_version, is_commit, bazel_directory)
File "/tmp/pip-install-ycop_psv/tensorstore_1008eee73d464825b2e191c044b9e306/bazelisk.py", line 304, in download_bazel_into_directory
download(bazel_url, destination_path)
File "/tmp/pip-install-ycop_psv/tensorstore_1008eee73d464825b2e191c044b9e306/bazelisk.py", line 353, in download
with closing(urlopen(request)) as response, open(destination_path, "wb") as file:
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 214, in urlopen
return opener.open(url, data, timeout)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 517, in open
response = self._open(req, data)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 534, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 494, in _call_chain
result = func(*args)
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 1389, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/home/user/anaconda3/envs/PyTorch-1.11.0/lib/python3.9/urllib/request.py", line 1349, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129)>
error: command '/home/user/anaconda3/envs/PyTorch-1.11.0/bin/python3.9' failed with exit code 1
----------------------------------------
ERROR: Failed building wheel for tensorstore
Failed to build tensorstore
ERROR: Could not build wheels for tensorstore which use PEP 517 and cannot be installed directly
我已经从 Huggingface 等软件中知道了这个错误消息,并且在很多情况下都设法解决了它。
我已经将所需的公司证书放入
/etc/pki/ca-trust/source/anchors
并随后运行 update-ca-trust
(注意:我使用的是 CentOS 派生的发行版)。通过验证时间戳和/etc/pki/tls/cert.pem
的内容,我确保更新成功。 curl https://www.google.com
有效。但pip install
仍然失败。
pip install certifi
,然后重试了。仍然失败。 certifi
实际上安装的是requests
的证书,自然不包括我们公司的自签名证书。因此,我将 certifi 的 PEM 文件替换为上述 /etc/pki/tls/cert.pem
:
mv "$(python -m certifi)"{,.bak}
ln -s "/etc/pki/tls/cert.pem" "$(python -m certifi)"
但这并没有改变什么。
pip install tensorstore
仍然失败并出现上述错误。
REQUESTS_CA_BUNDLE
在这里不起作用,因为不涉及requests
。
目前我还不清楚。网上向我提供的任何解决方案都仅围绕我已经提到的解决方案。即使是快速而肮脏的
verify=False
等效、PYTHONHTTPSVERIFY或未经验证的SSL上下文也无法应用于我当前的情况,因为脚本运行是临时的,每次我尝试安装时都会下载。
那么,我该如何解决这个问题呢?
设置
SSL_CERT_FILE
成功引导 Python 的 urllib
到正确的 PEM 文件:
$ export SSL_CERT_FILE=/etc/pki/tls/cert.pem
$ pip install --trusted-host=example.com --index-url=http://example.com/pypi/simple tensorstore
但是现在,另一个可能不相关的问题发生了。 Java中的SSL证书问题...