我一直在使用 Python 请求库来抓取网站一段时间了,但该网站最近更改了 SSL 证书,新证书不会验证请求。
根据对类似问题的回答,我将请求和urllib3更新到最新版本(2.4.3和1.9.1),并手动将CA证书添加到请求的cacert.pem(/usr/local/lib/python2.7/dist-packages/requests/cacert.pem)。
我可以成功地将这个cacert.pem文件与curl一起使用,但仍然不能与请求一起使用:
> curl --head --cacert /usr/local/lib/python2.7/dist-packages/requests/cacert.pem
https://jordan-cu.org
HTTP/1.1 200 OK
Date: Thu, 20 Nov 2014 16:21:28 GMT
Server: Apache
X-Pingback: https://jordan-cu.org/xmlrpc.php
Link: <https://jordan-cu.org/>; rel=shortlink
X-Powered-By: PleskLin
Content-Type: text/html; charset=UTF-8
> python
Python 2.7.4 (default, Sep 26 2013, 03:20:26)
[GCC 4.7.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> requests.get('https://jordan-cu.org')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 60, in get
return request('get', url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 49, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 569, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line 420, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我不确定在这一点上还能尝试什么。任何帮助不胜感激!
你需要安装 pyopenssl 和 ndg-httpsclient
有关更多详细信息,请参阅将请求与 TLS 配合使用不会提供 SNI 支持
Python2 不支持 SNI,请求在这方面没有帮助,请参阅 http://docs.python-requests.org/en/latest/community/faq/。但是,如果在没有 SNI 的情况下访问,服务器将返回自签名证书:
$ openssl s_client -connect jordan-cu.org:443 | openssl x509 -text -noout
...
Issuer: C=US, ST=Virginia, L=Herndon, O=Parallels, OU=Parallels Panel, CN=Parallels Panel/emailAddress=info@parallels.com
...
Subject: C=US, ST=Virginia, L=Herndon, O=Parallels, OU=Parallels Panel, CN=Parallels Panel/emailAddress=info@parallels.com
如果有人使用 SNI 访问服务器,它会返回由公共 CA 签名的证书:
$ openssl s_client -connect jordan-cu.org:443 -servername jordan-cu.org | openssl x509 -text -noout
...
Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
...
Subject: ... CN=*.jordan-cu.org
因为 Python2 在没有 SNI 的情况下进行 TLS 连接,所以您将获得自签名证书,当然无法根据cacert.pem进行验证,因此您可以获得certificate verify failed。
修复:升级到支持 SNI 的 Python3。
您需要创建一个包含整个证书链的 PEM 文件。您的证书 + 中间证书 + 根证书。