如何使PIP信任手动添加CA
我正在尝试使用ZScaler在公司代理后面的机器上安装AWSCLI。 我知道代理人正在设置自己的SSL/TLS证书,我已经通过update-ca-trust添加了该证书,并且我相信它已经正确完成了,因为Curl或OpenSSL之类的事物报告了成功的连接:
这是在安装AWSCLI时从Pythonhosted下载文件(我从PIP的详细输出中走的路径)
curl https://files.pythonhosted.org/packages/23/51/727b969318e41d1fa5483411d33bea612a219a13b4e009b2650951718ddf/awscli-1.22.99-py3-none-any.whl -o test -vvv
...
* Server certificate:
* subject: CN=*.pythonhosted.org
* start date: Apr 16 05:23:51 2022 GMT
* expire date: Apr 30 05:23:51 2022 GMT
* common name: *.pythonhosted.org
* issuer: CN="Zscaler Intermediate Root CA (zscaler.net) (t) ",OU=Zscaler Inc.,O=Zscaler Inc.,ST=California,C=US
...
data
...
下载
openssl s_client -connect files.pythonhosted.org:443
CONNECTED(00000003)
depth=3 C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = [email protected]
verify return:1
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscaler.net), emailAddress = [email protected]
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscaler.net) (t) "
verify return:1
depth=0 CN = r.shared-319-default.ssl.fastly.net
verify return:1
---
Certificate chain
0 s:/CN=r.shared-319-default.ssl.fastly.net
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net)/[email protected]
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net)/[email protected]
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/[email protected]
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ADE0E7C5AC943FC27E00383810F13A0CE78DF45B268D050A5015E50C1A6F316E
Session-ID-ctx:
Master-Key: CF3552DAAB06FC3C97713DD1D4AE2872317F64C483720CB5ABFDA2C8F0B4FBB37CEB33F26338F1AA5E7F3182A5040480
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1650578618
Timeout : 300 (sec)
Verify return code: 0 (ok)
文件。我试图避免使用Trusted-host 或禁用SSL验证。
有什么方法可以解决此问题或进一步解决此问题?
我正在使用
pip 21.3.1 from /usr/local/lib/python3.6/site-packages/pip (python 3.6)
I'm trying to install awscli using pip on a machine behind a corporate proxy using Zscaler.
I know the proxy is setting its own SSL/TLS certificate which I've already added through update-ca-trust and I believe it's has done it correctly as things like curl or openssl report a successful connection:
Here's curl downloading a file from pythonhosted (I took the path from the verbose output of pip when installing awscli)
curl https://files.pythonhosted.org/packages/23/51/727b969318e41d1fa5483411d33bea612a219a13b4e009b2650951718ddf/awscli-1.22.99-py3-none-any.whl -o test -vvv
...
* Server certificate:
* subject: CN=*.pythonhosted.org
* start date: Apr 16 05:23:51 2022 GMT
* expire date: Apr 30 05:23:51 2022 GMT
* common name: *.pythonhosted.org
* issuer: CN="Zscaler Intermediate Root CA (zscaler.net) (t) ",OU=Zscaler Inc.,O=Zscaler Inc.,ST=California,C=US
...
data
...
Here's openssl output
openssl s_client -connect files.pythonhosted.org:443
CONNECTED(00000003)
depth=3 C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = [email protected]
verify return:1
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscaler.net), emailAddress = [email protected]
verify return:1
depth=1 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = "Zscaler Intermediate Root CA (zscaler.net) (t) "
verify return:1
depth=0 CN = r.shared-319-default.ssl.fastly.net
verify return:1
---
Certificate chain
0 s:/CN=r.shared-319-default.ssl.fastly.net
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net) (t)
1 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net) (t)
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net)/[email protected]
2 s:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscaler.net)/[email protected]
i:/C=US/ST=California/L=San Jose/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Root CA/[email protected]
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: ADE0E7C5AC943FC27E00383810F13A0CE78DF45B268D050A5015E50C1A6F316E
Session-ID-ctx:
Master-Key: CF3552DAAB06FC3C97713DD1D4AE2872317F64C483720CB5ABFDA2C8F0B4FBB37CEB33F26338F1AA5E7F3182A5040480
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1650578618
Timeout : 300 (sec)
Verify return code: 0 (ok)
I'm trying to avoid using a trusted-host or disabling ssl verification.
Is there any way to fix this or troubleshoot this further?
I'm using
pip 21.3.1 from /usr/local/lib/python3.6/site-packages/pip (python 3.6)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论