为什么我得到一个证书验证错误,似乎是一个有效的证书?
为什么我得到一个证书验证错误,似乎是一个有效的证书?
提问于 2021-04-26 20:05:09
我正在运行一个由本地生成的ssl证书保护的Docker守护进程。Docker无问题地连接到服务器。当我试图使用requests模块连接时,会得到一个验证错误:
>>> import requests
>>> requests.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)除了“坏证书”之外,错误并没有提供更多的细节。
为了确定,我尝试将requests显式地指向停靠程序使用的同一个CA文件,但是我得到了相同的错误:
>>> import requests
>>> s = requests.Session()
>>> s.verify = '/home/buzzword/.docker/ca.pem'
>>> s.get('https://docker.local:2376')
Traceback (most recent call last):
[...]
File "/usr/lib64/python3.9/ssl.py", line 1099, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2627)如果我使用openssl获取证书,我还会看到一些错误:
$ openssl s_client -connect docker.local:2376 > docker.crt
depth=1 ...
verify return:1
depth=0 CN = docker.local
verify return:1
140520382674752:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1543:SSL alert number 42但是,如果我使用openssl verify命令显式验证证书,它将成功返回:
$ openssl verify docker.crt
docker.crt: OK为什么docker和openssl verify很高兴,而requests和openssl s_client却不高兴呢?
这就是openssl x509 ...对证书的看法:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8238984585537887426 (0x7256c0d41ae79cc2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 30 21:57:00 2021 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: CN = docker.local
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
56:AC:73:3C:92:87:8F:F2:30:F6:6A:10:14:3E:8B:7F:B7:CD:0C:AD
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:docker.local
Netscape Cert Type:
SSL Server
Netscape Comment:
xca certificate签名授权的证书在/etc/pki/tls/certs/ca-bundle.crt中可用,如下所示:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5876977844214468982 (0x518f3836353e9176)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
Validity
Not Before: Jan 9 13:05:00 2020 GMT
Not After : Jan 9 13:05:00 2030 GMT
Subject: C = US, ST = XX, L = YY, O = My Organization, OU = Certificate Authority
[...]
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
3F:62:D2:9A:65:37:91:E1:42:79:16:28:E7:A6:89:45:C5:01:4D:EB
X509v3 Key Usage:
Certificate Sign, CRL Sign
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
Netscape Comment:
xca certificate回答 1
Stack Overflow用户
回答已采纳
发布于 2021-04-27 03:47:31
“错误证书”错误意味着您的服务器期望您的客户端使用自己的证书进行身份验证,但是在调用requests.get时,您没有提供证书。你想要这样的东西:
>>> requests.get(
... 'https://docker.local:2376',
... cert=['/home/buzzword/.docker/cert.pem', '/home/buzzword/.docker/key.pem']
... )(假设cert.pem和key.pem在~/.docker目录中)
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/67273123
复制相关文章
相似问题
腾讯云开发者
