请求(仅)* .google.com时,SSL上的SSL3_GET_SERVER_CERTIFICATE证书验证失败
[英]SSL3_GET_SERVER_CERTIFICATE certificate verify failed on Python when requesting (only) *.google.com
问题描述
I have encountered a really strange bug that has to do with SSL and python to google.com (or more generally I think with domains that have multiple certificate chains). 
我遇到了一个非常奇怪的错误,它与SSL和python有关google.com(或者更常见的是我认为有多个证书链的域名)。 Whenever I try to do a request to https://*.google.com/whatever I get the following error: 每当我尝试向https://*.google.com/whatever请求时,我都会收到以下错误消息:
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",) while doing GET request to URL: https://google.com/
What I have done so far 到目前为止我做了什么
I have gone through many hoops trying to get this working and am resorting to posting to Stack Overflow now that I don't know what to do. 我已经经历了很多尝试让这个工作起来的箍,并且现在因为我不知道该怎么做而诉诸Stack Overflow。 Here is what I have tried: 这是我尝试过的:
Noticed that
datereturned a date that was 2 minutes behind the real time (potentially invalidating my cert).注意到date返回的日期比实时晚了2分钟(可能使我的证书无效)。 I fixed this assuming it would validate the cert.假设它会验证证书,我修复了这个问题。 This did not fix the issue. 这并没有解决问题。 Found out that Python 2.7.9 backported some SSL libraries from Python 3. I upgraded from Python 2.7.6 to 2.7.9 assuming the updates (which include fixes listed in this thread: https://serverfault.com/questions/692110/error-with-python2-as-a-https-client-with-an-nginx-server-and-ssl-certificate-ch ) would fix it.
发现Python 2.7.9从Python 3向后移植了一些SSL库。我从Python 2.7.6升级到2.7.9,假设更新(包括此线程中列出的修复程序: https : //serverfault.com/questions/692110/错误-python2-as-a-https-client-with-an-nginx-server-and-ssl-certificate-ch )会解决它。 No luck, same error. 没有运气,同样的错误。 Obviously setting
verify=Falseworks, but we are not willing to budge on security, we need to getverify=Trueto work.显然设置verify=False有效,但我们不愿意在安全方面做出让步,我们需要得到verify=True才能工作。curl https://google.comalso works as expected.curl https://google.com也按预期工作。 This is how I know it has to do with Python.这就是我知道它与Python有关的方式。
Environment 环境
$ python -V
Python 2.7.9
$ pip list | grep -e requests
requests (2.9.1)
$ uname-a # ubuntu 14.04
Linux staging.example.com 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Example 例
This is only happening for google domains over https. 这仅适用于https上的Google域名。 Here is an example: 这是一个例子:
$ ipython
Python 2.7.9 (default, Jan 6 2016, 21:37:32)
Type "copyright", "credits" or "license" for more information.
IPython 4.0.1 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
In [1]: import requests
In [2]: requests.get('https://facebook.com', verify=True)
Out[2]: <Response [200]>
In [3]: requests.get('https://stackoverflow.com', verify=True)
Out[3]: <Response [200]>
In [4]: requests.get('https://spotify.com', verify=True)
Out[4]: <Response [200]>
In [5]: requests.get('http://google.com', verify=True) # notice the http
Out[5]: <Response [200]>
In [6]: requests.get('https://google.com', verify=True)
---------------------------------------------------------------------------
SSLError Traceback (most recent call last)
<ipython-input-6-a7fff1831944> in <module>()
----> 1 requests.get('https://google.com', verify=True)
/example/.virtualenv/example/lib/python2.7/site-packages/requests/api.pyc in get(url, params, **kwargs)
65
66 kwargs.setdefault('allow_redirects', True)
---> 67 return request('get', url, params=params, **kwargs)
68
69
/example/.virtualenv/example/lib/python2.7/site-packages/requests/api.pyc in request(method, url, **kwargs)
51 # cases, and look like a memory leak in others.
52 with sessions.Session() as session:
---> 53 return session.request(method=method, url=url, **kwargs)
54
55
/example/.virtualenv/example/lib/python2.7/site-packages/requests/sessions.pyc in request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)
466 }
467 send_kwargs.update(settings)
--> 468 resp = self.send(prep, **send_kwargs)
469
470 return resp
/example/.virtualenv/example/lib/python2.7/site-packages/requests/sessions.pyc in send(self, request, **kwargs)
574
575 # Send the request
--> 576 r = adapter.send(request, **kwargs)
577
578 # Total elapsed time of the request (approximately)
/example/.virtualenv/example/lib/python2.7/site-packages/requests/adapters.pyc in send(self, request, stream, timeout, verify, cert, proxies)
445 except (_SSLError, _HTTPError) as e:
446 if isinstance(e, _SSLError):
--> 447 raise SSLError(e, request=request)
448 elif isinstance(e, ReadTimeoutError):
449 raise ReadTimeout(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)
1 个解决方案
解决方案1
31 已采纳 2016-01-07 21:18:14
I found a solution. 我找到了解决方案。 There seems to be a major issue in the version of certifi that was running. 在运行的certifi版本中似乎存在一个主要问题。 I found this out from this (very long) GitHub issue: https://github.com/certifi/python-certifi/issues/26 我从这个(非常长的)GitHub问题中找到了这个: https : //github.com/certifi/python-certifi/issues/26
TL;DR TL; DR
pip uninstall -y certifi && pip install certifi==2015.04.28
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.