Python ca-certificates Mac OS X
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24675167/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ca-certificates Mac OS X
提问by Enrico Pirani
I need to install offlineimap and mu4e on emacs. Problem is configuration. When I run offlineimap I get :
我需要在 emacs 上安装 offlineimap 和 mu4e。问题是配置。当我运行 offlineimap 时,我得到:
OfflineIMAP 6.5.5
Licensed under the GNU GPL v2+ (v2 or any later version)
Thread 'Account sync Gmail' terminated with exception:
Traceback (most recent call last):
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/threadutil.py", line 158, in run
Thread.run(self)
File "/anaconda/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/accounts.py", line 226, in syncrunner
self.remoterepos = Repository(self, 'remote')
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/__init__.py", line 78, in __new__
return repo(name, account)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/Gmail.py", line 37, in __init__
IMAPRepository.__init__(self, reposname, account)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 34, in __init__
self.imapserver = imapserver.IMAPServer(self)
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/imapserver.py", line 83, in __init__
self.sslcacertfile = repos.getsslcacertfile()
File "/usr/local/Cellar/offline-imap/6.5.6/libexec/offlineimap/repository/IMAP.py", line 211, in getsslcacertfile
% (self.name, cacertfile))
SyntaxWarning: CA certfile for repository 'Remote' could not be found. No such file: '/usr/share/curl/ca-bundle.crt.original'
Last 2 debug messages logged for Account sync Gmail prior to exception:
thread: Register new thread 'Account sync Gmail' (account 'Gmail')
imap: Using authentication mechanisms ['GSSAPI', 'CRAM-MD5', 'PLAIN', 'LOGIN']
This is my .offlineimaprc
这是我的 .offlineimaprc
[general]
accounts = Gmail
maxsyncaccounts = 1
pythonfile = ~/.offlineimap.py
[Account Gmail]
localrepository = Local
remoterepository = Remote
[Repository Local]
type = Maildir
localfolders = ~/Maildir
[Repository Remote]
type = Gmail
remoteuser = [email protected]
remotepasseval = get_password_emacs("imap.gmail.com", "[email protected]", "993")
realdelete = no
folderfilter = lambda foldername: foldername not in ['[Gmail]/Spam', '[Gmail]/All Mail', '[Gmail]/Starred', '[Gmail]/Important']
holdconnectionopen = true
keepalive = 60
sslcacertfile = /usr/share/curl/ca-bundle.crt.original #??
There is a problem with python install and one with the CA certificate. Point is there no any curl-ca-bundle brew package. I there any other way to install a certificate ?
python安装有问题,CA证书有问题。重点是没有任何 curl-ca-bundle brew 包。我还有其他方法可以安装证书吗?
回答by lunaryorn
There is usually no CA certificate bundle on OS X, because SSL libraries typically use Apple's Security Framework internally and obtain certificates from Keychain.
OS X 上通常没有 CA 证书包,因为 SSL 库通常在内部使用 Apple 的安全框架并从 Keychain 获取证书。
You can create your own bundle from Keychain certificates, though: Open Keychain, navigate to the “Certificates” category in the “System Roots” keychain, and press Command+Shift+E (“Export items”), to save all certificates. I think that Python can handle the PEM format, so be sure to select that.
不过,您可以从钥匙串证书创建自己的包:打开钥匙串,导航到“系统根”钥匙串中的“证书”类别,然后按 Command+Shift+E(“导出项目”),以保存所有证书。我认为 Python 可以处理 PEM 格式,所以一定要选择它。
Alternatively, on OS X 10.6 and newer, the system Python is build against an OpenSSL version which alwayslooks into Keychain as well. Hence, you can create a dummy bundle that only contains a dummy self-signed certification, and use that in your configuration to make OfflineIMAP shut up. It'll look into the Keychain certificates anyway.
或者,在 OS X 10.6 和更新版本上,系统 Python 是针对 OpenSSL 版本构建的,该版本也始终查看 Keychain。因此,您可以创建一个仅包含虚拟自签名证书的虚拟包,并在您的配置中使用它来关闭 OfflineIMAP。无论如何,它都会查看钥匙串证书。
See https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higherfor details.
有关详细信息,请参阅https://www.mercurial-scm.org/wiki/CACertificates#Mac_OS_X_10.6_and_higher。
回答by user1248490
I had a similar problem (on MacOS 10.10.2, openssl 1.0.2 and offlineimap 6.5.5 both from homebrew) and couldn't get the dummy certificate solution to work. However, I found a certfile that makes offlineimap stop complaining in /usr/local/etc/openssl/cert.pem(which is put there during the installation of openssl through homebrew, brew info openssltells me). Caveat: I don't know whether this is a good or safe way to do this.
我有一个类似的问题(在 MacOS 10.10.2、openssl 1.0.2 和 offlineimap 6.5.5 都来自自制软件)并且无法让虚拟证书解决方案工作。但是,我发现了一个使 offlineimap 停止抱怨的证书文件/usr/local/etc/openssl/cert.pem(brew info openssl告诉我,它是在通过自制软件安装 openssl 期间放置在那里的)。警告:我不知道这是否是一个好的或安全的方法。
回答by Patrick Sanan
A simple way to proceed is to use the curl certificate bundle. I use MacPorts, so this was obtained with
一个简单的方法是使用 curl 证书包。我使用 MacPorts,所以这是通过
sudo port install curl-ca-bundle
You can then run port contents curl-ca-bundleto see what it installed,
and then add the following to ~/.offlineimaprcin the section for your remote account
然后您可以运行port contents curl-ca-bundle以查看它安装了什么,然后将以下内容添加到~/.offlineimaprc您的远程帐户部分
sslcacertfile =/opt/local/share/curl/curl-ca-bundle.crt
Note that this will also put a link to these certificates as /opt/local/etc/openssl/cert.pem.
请注意,这也会将这些证书的链接作为/opt/local/etc/openssl/cert.pem.
回答by Alex Nibley
I had success on a Mac running 10.6 where I prefer the Homebrew ecosystem by using @patrick-sanan's answer and then symlinking in the Macports ecosystem version of cert.pem:
我在运行 10.6 的 Mac 上取得了成功,我更喜欢 Homebrew 生态系统,方法是使用 @patrick-sanan 的答案,然后在 cert.pem 的 Macports 生态系统版本中进行符号链接:
sudo rm /usr/local/etc/openssl
sudo ln -s /opt/local/etc/openssl/cert.pem /usr/local/etc/openssl
回答by Wood Guardian
This could happen if you have multiple installations of openssl (say v1.0.2 and 1.1.1). If they were both installed by brewat some point in time, you'll have to uninstall both of them to remove the conflict
如果您安装了多个 openssl(比如 v1.0.2 和 1.1.1),就会发生这种情况。如果它们都是brew在某个时间点安装的,则必须同时卸载它们以消除冲突
brew uninstall --ignore-dependencies --force [email protected]
brew uninstall --ignore-dependencies --force openssl
And the reinstall one of them, like
并重新安装其中之一,例如
brew install [email protected]
Hope this works!
希望这有效!
回答by vimal kumar
I ran the above command given by @wood-guardian and then ran to fix the issue.
我运行了@wood-guardian 给出的上述命令,然后运行以解决问题。
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
ruby -ropenssl -e "p OpenSSL::X509::DEFAULT_CERT_FILE"
export the result of above statement to SSL_CERT_FILE env variable
将上述语句的结果导出到 SSL_CERT_FILE 环境变量
export SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem
导出 SSL_CERT_FILE=/usr/local/etc/openssl/cert.pem
