Python请求SSL错误 - 证书验证失败
该代码
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
给我带来了这个错误
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
,我几乎对SSL一无所知,但是我尝试使用verify选项下载该站点的证书并指向该文件,但尚未使用。我想念什么吗?
This code
import requests
requests.get("https://hcaidcs.phe.org.uk/WebPages/GeneralHomePage.aspx")
is giving me this error
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)
I know practically nothing about SSL, but I've tried downloading the site's certificate and pointing to that file using the verify option, but it hasn't worked. Am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
正如在评论中已经指出的那样:从 ssllabs报告。有关您问题的本报告的主要部分是:
这意味着服务器未按照验证证书的需要发送完整的证书链。这意味着您需要在验证时自己添加丢失的证书。为此,您需要为缺少的链条证书 CC CIM CRISRIER> ERT Inc,OU = www.digicert.com,cn = digicert sha2高保证服务器ca ,也适用于root ca c =我们,o = digicert inc,ou = www.digicert.com,cn = digicert高保证ev root ca info a文件
my_trust_store.pem,然后您可以致电:这将与普通的叶子证书无效。由于Python的SSL堆栈基于OpenSSL,并且OpenSSL期望信托存储中只有受信任的证书授权(即使用
verify),并且服务器证书不是CA证书,因此无助于将其添加到信任商店。As already pointed out in a comment: the site has a bad SSL implementation as can be seen from the SSLLabs report. The main part of this report regarding your problem is:
This means that the server is not sending the full certificate chain as is needed to verify the certificate. This means you need to add the missing certificates yourself when validating. For this you need to include the PEM for the missing chain certificate C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA and also for the root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA info a file
my_trust_store.pemand then you can call:This will not work with normal leaf certificates. Since the SSL stack of Python is based on OpenSSL and OpenSSL expects only trusted certificate authorities in the trust store (i.e. given with
verify) and a server certificate is not CA certificate it will not help to add it to the trust store.如果您的网络需要CA,这应该解决问题
This should solve the problem if your network requires a CA
使用证书似乎并不暗示,所以我将向您展示是什么使我的解决方案:
我找到了这个解决方案,以及在realpython上,此处
using the certifi doesn't seem to be implied, so i'll show you what made my solution:
i found this solution and more on RealPython, here
如果您可以避免证书验证(不安全),请将pythonhtpsverify环境变量设置为0:
这将跳过证书验证。
If you can avoid the certificate verification (not secure), set PYTHONHTTPSVERIFY environment variable to 0:
This will skip the certificate verification.
您应该这样写,我已经验证了它
You should write it like this, and I've verified it