[英]How to ignore security warnings thrown when using pip install to private pypi server using self signed cert
I have what I believe is a niche scenario. 我认为这是一个利基方案。 I have a pypi server running on a Linux server.
我有一个在Linux服务器上运行的pypi服务器。 Retrieving packages from it using:
使用以下方法从中检索软件包:
pip install --extra-index-url http://<IP>:8080 MyPackage
Works as one would expect with the package being downloaded from the private repo. 从私人仓库下载软件包时,可以像预期的那样工作。
However since introducing a self signed certificate into the equation (I do not have a domain for this IP) using the following command: 但是,由于使用以下命令将自签名证书引入方程式(我没有此IP的域):
pip install --cert apache-selfsigned.crt --extra-index-url https://UN:PW@<IP>:443 MyPackage
I get the following errors (though it does still work as you can see at the bottom): 我收到以下错误(尽管它仍然可以正常工作,如底部所示):
Collecting MyPackage
Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
/usr/share/python-wheels/urllib3-1.22-py2.py3-none-any.whl/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
Installing collected packages: MyPackage
Successfully installed MyPackage-0.2.0
I use Apache2 to act as a reverse proxy to forward port 443 onto the pypi port. 我使用Apache2作为反向代理,将端口443转发到pypi端口。
The certificate is 'valid' but obviously not registered with a CA. 该证书是“有效的”,但显然未在CA中注册。 It works fine for encryption and for connecting via a web browser (once I accept the 'risks').
它可以很好地用于加密和通过Web浏览器进行连接(一旦我接受了“风险”)。 So I know the cert/key are working correctly.
所以我知道cert / key工作正常。
It seems highly inefficient for pip to try 5 times and fail before deciding to go ahead with the unverified certificate, is there something amiss in the cert? 在决定继续使用未经验证的证书之前,pip尝试5次并失败的效率极低,该证书中是否有任何问题? Or is it just that pip's dependencies don't like self signed certs, and will always fail 5 times before admitting its ok.
或仅仅是pip的依赖项不喜欢自签名证书,并且在承认它正常之前将始终失败5次。
When using --extra-index-url
, pip
will still use PyPI along your extra index when searching for a package. 当使用
--extra-index-url
, pip
在搜索包时仍将在您的额外索引中使用PyPI。 Unfortunately, there is no way to specify an "extra-index cert" so when you pass --cert
, pip
will use the cert against all index hosts including pypi.org
. 不幸的是,无法指定“额外索引证书”,因此,当您传递
--cert
, pip
将对包括pypi.org
在内的所有索引主机使用该证书。 This is why you get the certificate verify failed
errors. 这就是为什么您获得
certificate verify failed
错误的原因。 To circumvent this, you can: 为了避免这种情况,您可以:
--cert
at all. --cert
。 The exact steps are OS-dependent, also you'll need additional steps for virtual envs. --index-url=<IP> --cert=my.crt
- beware that in that case pip
will not query PyPI at all, so you will be able to install only packages that are offered by your own index. --index-url=<IP> --cert=my.crt
请注意,在这种情况下pip
根本不会查询PyPI,因此您将只能安装自己索引提供的软件包。 Decent index servers like devpi
can act as a proxy to PyPI though, so not so much of an issue. devpi
这样的体面索引服务器可以充当PyPI的代理,因此问题不大。 --extra-index-url=<IP> --cert=my.cert --trusted-host=pypi.org --trusted-host=files.pythonhosted.org
- this will skip the PyPI hosts verification, thus unsafe and should only be a temporary workaround. --extra-index-url=<IP> --cert=my.cert --trusted-host=pypi.org --trusted-host=files.pythonhosted.org
这将跳过PyPI主机验证,因此不安全,应仅是临时解决方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.