Python SSL requests and Let's Encrypt certs

问题

I'm struggling at the moment to get the requests library to perform a simple GET request to a site of mine with a Let's Encrypt certificate. All's well with the site and I can access it from Chrome just fine. (I'm running OSX El Capitan at the moment).

First I tried doing a GET request to the site:

>>> import requests
>>> requests.get('https://example.com')

This gives me:

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I then tried various things, including getting hold of the Let's Encrypt authority certificate, and the following openssl command verifies my site's certificate successfully:

> openssl s_client -CAfile ./letsencryptauthorityx1.pem -connect example.com:443

The output of which included the following towards the bottom:

...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    Start Time: 1452865123
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Perhaps I'm missing something here, but it looks to me as though my site's been verified according to the Let's Encrypt authority certificate I supplied. So, I happily changed my Python code to:

>>> requests.get('https://example.com', verify='./letsencryptauthorityx1.pem')

But I still keep getting the requests.exceptions.SSLError error. I've also tried using the DER format of the authority certificate, but then I get the following error from requests:

requests.exceptions.SSLError: unknown error (_ssl.c:2825)

Can anybody perhaps educate me as to how to go about fixing this?

回答1:

Sounds like your CA CERTS on the machine are not up to date or the web server is not configured to server the full certificate chain.

回答2:

On OSX you can export all the certs in your keychain access to a .pem file and then point requests to that file: http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/

CA_BUNDLE = path_to_your_exported_file.pem
response = requests.get(user_account_url, verify=CA_BUNDLE)

回答3:

For any lost soul that stumbled upon this post while looking for a Windows Fix for this issue.

Using Chrome:

1. Open the URL in using HTTPS.
2. On the address bar click where it says "Secure".
3. Click on certificate.
4. Go to the "Certification Path" tab.
5. Select "Let's Encrypt Authority X3" (Go up one level) then click "View Certificate".
6. Go to the "Details" tab and click "Export to File".
7. On the Wizard click next and select "Base-64 encoded X.509 (.CER)", click next again.
8. Select a folder and name for the file (Remember this directory).
9. Go to that folder and right click the certificate and click "Install Certificate".
10. Select Local Machine (Requires Admin Rights), click next.
11. Select "Automatically select the certificate store..." (Default), click next.
12. Click Finish.
13. Run your Python Script again.

Disclaimer: Using Chrome 67.0.3396.99 with Windows 10 64-Bit.

来源：https://stackoverflow.com/questions/34812787/python-ssl-requests-and-lets-encrypt-certs