Python 请求 SSL 错误 - 证书验证失败
问题描述
这段代码
导入请求requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
给我这个错误
[SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败 (_ssl.c:777)
我对 SSL 几乎一无所知,但我尝试下载站点的证书并使用 verify
选项指向该文件,但没有成功.我错过了什么吗?
正如评论中已经指出的那样:从 SSLLabs 报告.这份报告中关于您的问题的主要部分是:
<块引用>此服务器的证书链不完整.等级上限为 B.
这意味着服务器没有发送验证证书所需的完整证书链.这意味着您需要在验证时自己添加缺少的证书.为此,您需要包含缺失链证书的 PEM C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA 以及根 CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem
然后您可以调用:
requests.get("https://...", verify='my_trust_store.pem')
<块引用>
...但我已尝试下载该站点的证书并使用验证选项指向该文件
这不适用于普通的叶子证书.由于 Python 的 SSL 堆栈基于 OpenSSL,而 OpenSSL 只需要信任库中的受信任证书颁发机构(即使用 verify
给出)并且服务器证书不是 CA 证书,因此将其添加到信任库.
This code
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
is giving me this error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify
option, but it hasn't worked. Am I missing something?
As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:
This server's certificate chain is incomplete. Grade capped to B.
This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file my_trust_store.pem
and then you can call:
requests.get("https://...", verify='my_trust_store.pem')
... but I've tried downloading the site's certificate and pointing to that file using the verify option
This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with verify
) and a server certificate is not CA certificate it will not help to add it to the trust store.
相关文章