Python 如何将自定义 CA 根证书添加到 Windows 中 pip 使用的 CA Store?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/39356413/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to add a custom CA Root certificate to the CA Store used by pip in Windows?
提问by Eric B.
I just installed Python3 from python.org and am having trouble installing packages with pip. By design, there is a man-in-the-middle packet inspection appliance on the network here that inspects all packets (ssl included) by resigning all ssl connections with its own certificate. Part of the GPO pushes the custom root certificate into the Windows Keystore.
我刚刚从 python.org 安装了 Python3,但在安装带有pip. 根据设计,这里的网络上有一个中间人数据包检查设备,它通过使用自己的证书重新签署所有 ssl 连接来检查所有数据包(包括 ssl)。GPO 的一部分将自定义根证书推送到 Windows 密钥库中。
When using Java, if I need to access any external https sites, I need to manually update the cacerts in the JVM to trust the Self-Signed CA certificate.
在使用 Java 时,如果我需要访问任何外部 https 站点,我需要手动更新 JVM 中的 cacerts 以信任自签名 CA 证书。
How do I accomplish that for python? Right now, when I try to install packages using pip, understandably, I get wonderful [SSL: CERTIFICATE_VERIFY_FAILED]errors.
我如何为 python 做到这一点?现在,当我尝试使用 安装软件包时pip,可以理解的是,我遇到了很多[SSL: CERTIFICATE_VERIFY_FAILED]错误。
I realize I can ignore them using the --trusted-hostparameter, but I don't want to do that for every package I'm trying to install.
我意识到我可以使用--trusted-host参数忽略它们,但我不想对我尝试安装的每个包都这样做。
Is there a way to update the CA Certificate store that python uses?
有没有办法更新 python 使用的 CA 证书存储?
回答by Josh Peak
Self-Signed Certificate Authorities pip/ conda
自签名证书颁发机构pip/conda
After extensively documenting a similar problem with Git (How can I make git accept a self signed certificate?), here we are again behind a corporate firewall with a proxy giving us a MitM "attack"that we should trust and:
在广泛记录了 Git 的类似问题(如何让 git 接受自签名证书?)之后,这里我们再次位于公司防火墙后面,代理给了我们一个我们应该信任的MitM“攻击”,并且:
NEVER disable all SSL verification!
This creates a bad security culture. Don't be that person.
切勿禁用所有 SSL 验证!
这会造成不良的安全文化。不要成为那种人。
tl;dr
tl;博士
pip config set global.cert path/to/ca-bundle.crt
pip config list
conda config --set ssl_verify path/to/ca-bundle.crt
conda config --show ssl_verify
# Bonus while we are here...
git config --global http.sslVerify true
git config --global http.sslCAInfo path/to/ca-bundle.crt
But where do we get ca-bundle.crt?
但是我们从哪里得到ca-bundle.crt呢?
Get an up to date CA Bundle
获取最新的 CA 捆绑包
cURL publishes an extract of the Certificate Authorities bundled with Mozilla Firefox
cURL 发布了与 Mozilla Firefox 捆绑的证书颁发机构的摘录
https://curl.haxx.se/docs/caextract.html
https://curl.haxx.se/docs/caextract.html
I recommend you open up this cacert.pemfile in a text editor as we will need to add our self-signed CA to this file.
我建议您cacert.pem在文本编辑器中打开此文件,因为我们需要将自签名 CA 添加到此文件中。
Certificates are a document complying with X.509 but they can be encoded to disk a few ways. The below article is a good read but the short version is that we are dealing with the base64 encoding which is often called PEM in the file extensions. You will see it has the format:
证书是符合 X.509 的文档,但可以通过几种方式将它们编码到磁盘。下面的文章是一个很好的阅读,但简短的版本是我们正在处理 base64 编码,它通常在文件扩展名中称为 PEM。您将看到它具有以下格式:
----BEGIN CERTIFICATE----
....
base64 encoded binary data
....
----END CERTIFICATE----
Getting our Self Signed Certificate
获取我们的自签名证书
Below are a few options on how to get our self signed certificate:
以下是有关如何获取我们的自签名证书的一些选项:
- Via OpenSSL CLI
- Via Browser
- Via Python Scripting
- 通过 OpenSSL CLI
- 通过浏览器
- 通过 Python 脚本
Get our Self-Signed Certificate by OpenSSL CLI
通过 OpenSSL CLI 获取我们的自签名证书
echo quit | openssl s_client -showcerts -servername "curl.haxx.se" -connect curl.haxx.se:443 > cacert.pem
Get our Self-Signed Certificate Authority via Browser
通过浏览器获取我们的自签名证书颁发机构
- Acquiring your CA: https://stackoverflow.com/a/50486128/622276
Thanks to this answer and the linked blog, it shows steps (on Windows) how to view the certificate and then copy to file using the base64 PEM encoding option.
感谢这个答案和链接的博客,它显示了(在 Windows 上)如何查看证书,然后使用 base64 PEM 编码选项复制到文件的步骤。
Copy the contents of this exported file and paste it at the end of your cacerts.pemfile.
复制此导出文件的内容并将其粘贴到cacerts.pem文件末尾。
For consistency rename this file cacerts.pem--> ca-bundle.crtand place it somewhere easy like:
为了保持一致性,重命名这个文件cacerts.pem-->ca-bundle.crt并将它放在一个简单的地方,比如:
# Windows
%USERPROFILE%\certs\ca-bundle.crt
# or *nix
$HOME/certs/cabundle.crt
Get our Self-Signed Certificate Authority via Python
通过 Python 获取我们的自签名证书颁发机构
Thanks to all the brilliant answers in:
感谢以下所有精彩答案:
How to get response SSL certificate from requests in python?
I have put together the following to attempt to take it a step further.
我整理了以下内容以尝试更进一步。
https://github.com/neozenith/get-ca-py
https://github.com/neozenith/get-ca-py
Finally
最后
Set the configuration in pip and conda so that it knows where this CA store resides with our extra self-signed CA.
在 pip 和 conda 中设置配置,以便它知道这个 CA 存储与我们额外的自签名 CA 所在的位置。
pip config set global.cert %USERPROFILE%\certs\ca-bundle.crt
conda config --set ssl_verify %USERPROFILE%\certs\ca-bundle.crt
OR
或者
pip config set global.cert $HOME/certs/ca-bundle.crt
conda config --set ssl_verify $HOME/certs/ca-bundle.crt
THEN
然后
pip config list
conda config --show ssl_verify
# Hot tip: use -v to show where your pip config file is...
pip config list -v
# Example output for macOS and homebrew installed python
For variant 'global', will try loading '/Library/Application Support/pip/pip.conf'
For variant 'user', will try loading '/Users/jpeak/.pip/pip.conf'
For variant 'user', will try loading '/Users/jpeak/.config/pip/pip.conf'
For variant 'site', will try loading '/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/pip.conf'
References
参考
- Pip SSL: https://pip.pypa.io/en/stable/user_guide/#configuration
- Conda SSL: https://stackoverflow.com/a/35804869/622276
- Acquiring your CA: https://stackoverflow.com/a/50486128/622276
- Using Python to automatically grab your Peer CA: How to get response SSL certificate from requests in python?
- Pip SSL:https: //pip.pypa.io/en/stable/user_guide/#configuration
- 康达 SSL:https://stackoverflow.com/a/35804869/622276
- 获取您的 CA:https: //stackoverflow.com/a/50486128/622276
- 使用 Python 自动获取对等 CA:如何从 Python 中的请求中获取响应 SSL 证书?
回答by rfkortekaas
Run: python -c "import ssl; print(ssl.get_default_verify_paths())"to check the current paths which are used to verify the certificate. Add your company's root certificate to one of those.
运行:python -c "import ssl; print(ssl.get_default_verify_paths())"查看当前用于验证证书的路径。将您公司的根证书添加到其中之一。
The path openssl_capath_envpoints to the environment variable: SSL_CERT_DIR.
路径openssl_capath_env指向环境变量:SSL_CERT_DIR.
If SSL_CERT_DIRdoesn't exist, you will need to create it and point it to a valid folder within your filesystem. You can then add your certificate to this folder to use it.
如果SSL_CERT_DIR不存在,您将需要创建它并将其指向文件系统中的有效文件夹。然后,您可以将您的证书添加到此文件夹以使用它。
回答by aturegano
Not best answer but you can reuse an already created ca bundle using --certoption of pip, for instance:
不是最佳答案,但您可以使用--cert选项重用已创建的 ca 包pip,例如:
pip install SQLAlchemy==1.1.15 --cert="C:\Users\myUser\certificates\my_ca-bundle.crt"
回答by Alex
On Windows, I solved it by creating a pip.ini file in %APPDATA%\pip\
在 Windows 上,我通过在 %APPDATA%\pip\ 中创建一个 pip.ini 文件来解决它
e.g. C:\Users\asmith\AppData\Roaming\pip\pip.ini
例如 C:\Users\asmith\AppData\Roaming\pip\pip.ini
In the pip.ini I put the path to my certificate:
在 pip.ini 我把我的证书的路径:
[global]
cert=C:\Users\asmith\SSL\teco-ca.crt
https://pip.pypa.io/en/stable/user_guide/#configurationhas more information about the configuration file.
https://pip.pypa.io/en/stable/user_guide/#configuration有关于配置文件的更多信息。
回答by itsergiu
Open Anaconda Navigator.
打开 Anaconda 导航器。
Go to File\Preferences.
转到文件\首选项。
Enable SSL verification Disable (not recommended)
启用 SSL 验证 禁用(不推荐)
or Enable and indicate SSL certificate path(Optional)
或 启用并指明 SSL 证书路径(可选)
Update a package to a specific version:
将软件包更新到特定版本:
Select Install on Top-Right
选择右上角安装
Select package click on tick
选择包点击勾选
Mark for update
标记更新
Mark for specific version installation
标记特定版本安装
Click Apply
点击应用
