Python 为什么我会收到一个似乎是有效证书的证书验证错误?
我正在运行一个Docker守护程序,该守护程序受本地生成的ssl证书保护。Docker连接到服务器时没有问题。当我尝试使用Python 为什么我会收到一个似乎是有效证书的证书验证错误?,python,docker,ssl,python-requests,Python,Docker,Ssl,Python Requests,我正在运行一个Docker守护程序,该守护程序受本地生成的ssl证书保护。Docker连接到服务器时没有问题。当我尝试使用请求模块连接时,我收到一个验证错误: >>> import requests >>> requests.get('https://docker.local:2376') Traceback (most recent call last):
请求
模块连接时,我收到一个验证错误:
>>> import requests
>>> requests.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)
除了“坏证书”之外,这个错误没有提供更多的细节
为了确保这一点,我尝试将请求
明确地指向同一CA
docker正在使用的文件,但我得到了相同的错误:
>>> import requests
>>> s = requests.Session()
>>> s.verify = '/home/buzzword/.docker/ca.pem'
>>> s.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)
如果我使用openssl
获取证书,我还会看到一些错误:
$ openssl s_client -connect docker.local:2376 > docker.crt
depth=1 ...
verify return:1
depth=0 CN = docker.local
verify return:1
140520382674752:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1543:SSL alert number 42
但是,如果我使用openssl verify
命令显式验证证书,它将成功返回:
$ openssl verify docker.crt
docker.crt: OK
为什么docker
和openssl验证
很开心,但是请求
和
openssl s_客户端
不是吗
这是关于证书的
openssl x509…
说明:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8238984585537887426 (0x7256c0d41ae79cc2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 30 21:57:00 2021 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: CN = docker.local
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
56:AC:73:3C:92:87:8F:F2:30:F6:6A:10:14:3E:8B:7F:B7:CD:0C:AD
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:docker.local
Netscape Cert Type:
SSL Server
Netscape Comment:
xca certificate
签名机构的证书在中提供
/etc/pki/tls/certs/ca bundle.crt
,如下所示:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5876977844214468982 (0x518f3836353e9176)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 9 13:05:00 2020 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
3F:62:D2:9A:65:37:91:E1:42:79:16:28:E7:A6:89:45:C5:01:4D:EB
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate
“坏证书”错误意味着您的服务器希望您的客户端使用自己的证书进行身份验证,但在调用请求时。获取您没有提供证书。你想要的是:
>>> requests.get(
... 'https://docker.local:2376',
... cert=['/home/buzzword/.docker/cert.pem', '/home/buzzword/.docker/key.pem']
... )
(假设您的~/.docker
目录)证书是否包含完整的链?另外,根据环境变量REQUESTS\u CA\u BUNDLE
,应该设置它。如果它是自签名证书,它将始终无法通过验证。您可以将参数verify=False
添加到请求中。获取调用以不验证。它不是自签名证书(由本地证书颁发机构签名,其ca证书安装在系统证书捆绑包中,也安装在~/.docker/ca.pem
中)。显然,当使用docker
客户端时,它可以很好地验证。@AndrejKesely我相信设置请求\u CA\u BUNDLE
应该具有与显式地将会话
对象的验证
属性设置为证书捆绑包相同的效果。我在设置请求\u CA\u BUNDLE
时尝试过,但同样失败。谢谢,就是这样。