Python 为什么我会收到一个似乎是有效证书的证书验证错误?
我正在运行一个Docker守护程序,该守护程序受本地生成的ssl证书保护。Docker连接到服务器时没有问题。当我尝试使用Python 为什么我会收到一个似乎是有效证书的证书验证错误?,python,docker,ssl,python-requests,Python,Docker,Ssl,Python Requests,我正在运行一个Docker守护程序,该守护程序受本地生成的ssl证书保护。Docker连接到服务器时没有问题。当我尝试使用请求模块连接时,我收到一个验证错误: >>> import requests >>> requests.get('https://docker.local:2376') Traceback (most recent call last):
请求>>> import requests
>>> requests.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)
请求>>> import requests
>>> s = requests.Session()
>>> s.verify = '/home/buzzword/.docker/ca.pem'
>>> s.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)
openssl$ openssl s_client -connect docker.local:2376 > docker.crt
depth=1 ...
verify return:1
depth=0 CN = docker.local
verify return:1
140520382674752:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1543:SSL alert number 42
openssl verify$ openssl verify docker.crt
docker.crt: OK
dockeropenssl验证请求openssl s_客户端这是关于证书的
openssl x509…Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8238984585537887426 (0x7256c0d41ae79cc2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 30 21:57:00 2021 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: CN = docker.local
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
56:AC:73:3C:92:87:8F:F2:30:F6:6A:10:14:3E:8B:7F:B7:CD:0C:AD
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:docker.local
Netscape Cert Type:
SSL Server
Netscape Comment:
xca certificate
/etc/pki/tls/certs/ca bundle.crtCertificate:
Data:
Version: 3 (0x2)
Serial Number: 5876977844214468982 (0x518f3836353e9176)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 9 13:05:00 2020 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
3F:62:D2:9A:65:37:91:E1:42:79:16:28:E7:A6:89:45:C5:01:4D:EB
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate
请求时。获取您没有提供证书。你想要的是:
>>> requests.get(
... 'https://docker.local:2376',
... cert=['/home/buzzword/.docker/cert.pem', '/home/buzzword/.docker/key.pem']
... )
(假设您的~/.docker
目录)证书是否包含完整的链?另外,根据环境变量REQUESTS\u CA\u BUNDLE
,应该设置它。如果它是自签名证书,它将始终无法通过验证。您可以将参数verify=False
添加到请求中。获取调用以不验证。它不是自签名证书(由本地证书颁发机构签名,其ca证书安装在系统证书捆绑包中,也安装在~/.docker/ca.pem
中)。显然,当使用docker
客户端时,它可以很好地验证。@AndrejKesely我相信设置请求\u CA\u BUNDLE
应该具有与显式地将会话
对象的验证
属性设置为证书捆绑包相同的效果。我在设置请求\u CA\u BUNDLE
时尝试过,但同样失败。谢谢,就是这样。