SSL: CERTIFICATE_VERIFY_FAILED 证书验证失败: 证书链中存在自签名证书 (_ssl.c:992)

huangapple go评论217阅读模式
英文:

SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed : self signed certificate in certificate chain (_ssl.c:992)

问题

I am using python to make a get request to jira cloud rest api to get details of an issue, but getting this SSL verification failed error message, I am using this script

import requests
import json

url = "https://your-domain.atlassian.net/rest/agile/1.0/issue/{issueIdOrKey}"

headers = {
    "Accept": "application/json",
    "Authorization": "Bearer <access_token>"
}

response = requests.request(
    "GET",
    url,
    headers=headers
)

print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))

error message-

requests.exceptions.SSLError:
HTTPSConnectionPool('host=your-domain.atlasian.net', port=443): Max
retries exceeded with url: /rest/agile/1.0/issue/{issueIdOrKey}
(caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed : self signed
certificate in certificate chain (_ssl.c:992)')))

Suggest me possible ways to resolve this issue.
Thank you!

英文:

I am using python to make a get request to jira cloud rest api to get details of an issue, but getting this SSL verification failed error message, I am using this script

import requests
import json

url = &quot;https://your-domain.atlassian.net/rest/agile/1.0/issue/{issueIdOrKey}&quot;

headers = {
  &quot;Accept&quot;: &quot;application/json&quot;,
  &quot;Authorization&quot;: &quot;Bearer &lt;access_token&gt;&quot;
}

response = requests.request(
   &quot;GET&quot;,
   url,
   headers=headers
)

print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(&quot;,&quot;, &quot;: &quot;)))

error message-

> requests.exceptions.SSLError:
> HTTPSConnectionPool('host=your-domain.atlasian.net', port=443): Max
> retries exceeded with url: /rest/agile/1.0/issue/{issueIdOrKey}
> (caused by SSLError(SSLCertVerificationError(1, '[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed : self signed
> certificate in certificate chain (_ssl.c:992)')))

Suggest me possible ways to resolve this issue.
Thank you!

答案1

得分: 1

"self signed certificate in certificate chain" 意味着证书链验证失败。您的脚本不信任证书或其颁发者之一。有关更多信息,请参阅Platform Engineer的SSL起步指南

Tzane的答案包含了大部分您需要的信息。但看起来您可能还想知道要添加哪个证书。

因此,首先获取CA证书以及任何中间证书,可以通过在命令行上运行以下命令来完成:

openssl s_client -connect your-name.atlassian.net:443 -showcerts

在输出中,有一个以Certificate chain开头的块。我从Atlassian.net获得的输出只包括服务器证书和CA证书。

有一些以以下方式开头的输出块:

-----BEGIN CERTIFICATE-----

并以以下方式结束:

-----END CERTIFICATE-----

这些块,包括我刚刚显示的行,都是证书。复制最后一个证书并创建一个.pem文件,例如ca-root.pem。将其放在与您的Python文件相同的目录中,然后更新您的请求块如下:

verify = "ca-root.pem"

response = requests.request(
   "GET",
   url,
   headers=headers,
   verify=verify
)

希望这能帮助您。

----- 更新 -----

使用您提供的域名 msci.atlassian.net,我获得了此时由Digital Cert提供的CA证书。

-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius

<details>
<summary>英文:</summary>

`self signed certificate in certificate chain` means that certificate chain validation has failed. Your script does not trust the certificate or one of its issuers. For more information see [Beginning with SSL for a Platform Engineer][2].
The answer from [Tzane][1] had most of what you need.
But it looks like you also might want to know WHAT certificate to add.

So, first get the CA certificate, and any intermediate certs by running the following on a command line:
```bash
openssl s_client -connect your-name.atlassian.net:443 -showcerts

In the output there is a block that starts with Certificate chain. The output I got from Atlassian.net had only a server cert and CA cert.

There are blocks of output that start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

These blocks, including the lines I just showed, are a certificate.
Copy the last certificate and create a pem file e.g. ca-root.pem. Place this in the same directory as your python file and then update your requests block to be:

verify = &quot;ca-root.pem&quot;

response = requests.request(
   &quot;GET&quot;,
   url,
   headers=headers,
   verify=verify
)

Hope this helps.

----- UPDATE -----

Using the domain you provided, msci.atlassian.net, I have the CA cert provided at this time by Digital Cert.

-----BEGIN CERTIFICATE-----
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----

答案2

得分: 0

我们之前在另一个Web API上遇到了类似的证书问题,它在某些机器上随机出现。我们最终采取的做法是从Let's Encrypt获取ISRG Root X1,并手动将其传递给请求。

verify = "isrgrootx1.pem"

response = requests.request(
   "GET",
   url,
   headers=headers,
   verify=verify
)
英文:

We had a similar cert issue with another web API that came up randomly on some machines. What we ended up doing is getting the ISRG Root X1 from Let's Encrypt and passing it manually to the request

verify = &quot;isrgrootx1.pem&quot;

response = requests.request(
   &quot;GET&quot;,
   url,
   headers=headers,
   verify=verify
)

答案3

得分: 0

出现这样的证书问题(链中的自签名证书)来自这样一个公共网站,看起来像是你在企业代理后面。是这样吗?

你可以简单地检查一下,如果你在家里或热点连接到互联网而不在代理后面,如果可以正常工作,那么这可能就是问题所在。

你也可以进一步调试,运行 curl -v <URL>。它会显示一些额外的证书信息。

要解决这个问题,你需要信任你公司的 CA 证书,这样由这个根 CA 签名的证书才会被信任。这里是在 Ubuntu 上的操作步骤:


导入公司证书通常是由IT部门协助完成的。不同操作系统的流程不同,但一般来说(我会给出一个Linux的示例),操作如下:

  1. 你需要获取根 CA 证书。这是公司用来签署证书的证书。你的IT部门可能会有它,或者知道你可以从哪里获取它。这是一个以 .crt 为后缀的文件。
  2. 你将这个文件放在指定的位置,具体位置取决于你的操作系统。对于Ubuntu来说,这将是 /usr/local/share/ca-certificates
  3. 运行 sudo update-ca-certificates 来更新操作系统的证书。

如果你在Docker内运行,流程是相同的,但根据操作系统类型可能会有所不同。

英文:

Getting certificate issues like that (self signed certificate in chain) from such a public website smells like you're behind a corporate proxy. Is that the case?

You can simply check that if you connect to the internet from your home, or hotspot, without being behind proxy. If it works - then that's your problem.

You can also debug it further running curl -v &lt;URL&gt;. It will display some additional cert information.

To solve it, you need to trust your company CA certificate so certificates signed by this root CA are trusted. Here's a to do it on Ubuntu


Importing a company certificate is something usually the IT department helps with. The process is different between OS's, but in general (and I'll give a Linux example below) this is how it goes:

  1. You need to get the root CA certificate. This is a certificate the company signs certificate with. Your IT will probably have it, or the knowledge where you can get it from. This is a file with .crt suffix
  2. You put this file in designated location, depending on your OS. For Ubuntu this would be /usr/local/share/ca-certificates
  3. Run sudo update-ca-certificates to update OS certificates

If you're running inside Docker, the process is the same and again, it might be different depending on the OS type.

答案4

得分: 0

你是否在请求中使用了YOUR域名?

根据错误信息,看起来你试图在请求中使用虚构的域名 my-domain.atlassian.netyour-domain.atlassian.net

英文:

Are you using YOUR domain name in the request?

From the errors, it looks like you're trying to use the fictitious domains my-domain.atlassian.net and your-domain.atlassian.net in your request.

答案5

得分: 0

  1. 尝试执行 ping <your-domain>.atlassian.net 并确保可以正常访问
  2. 如果你正在使用 VPN,请尝试关闭它,因为 VPN 可能会导致自签名证书引发各种问题
  3. 否则,请检查用于 Python 的环境变量...附上了一个我们在处理这些问题时使用过的简短脚本
if [ -w /etc/ssl/certs ]
then
    CERT_PATH=/etc/ssl/certs/certs.pem
else
    CERT_PATH=~/.certs.pem
fi
security export -t certs -f pemseq -k login.keychain-db -o $CERT_PATH
echo "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.bash_profile
echo "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.zshrc
英文:
  1. Try doing ping &lt;your-domain&gt;.atlassian.net and ensuring it can get through
  2. If you're on VPN try turning it off because VPN can do self-signed certs that cause all kinds of issues
  3. Otherwise check out your env variables which are used by python...attaching a short script we've used when dealing with these issues
if [ -w /etc/ssl/certs ]
then
    CERT_PATH=/etc/ssl/certs/certs.pem
else
    CERT_PATH=~/.certs.pem
fi
security export -t certs -f pemseq -k login.keychain-db -o $CERT_PATH
echo &quot;\nexport REQUESTS_CA_BUNDLE=$CERT_PATH&quot; &gt;&gt; ~/.bash_profile
echo &quot;\nexport REQUESTS_CA_BUNDLE=$CERT_PATH&quot; &gt;&gt; ~/.zshrc

huangapple
  • 本文由 发表于 2023年6月29日 15:32:27
  • 转载请务必保留本文链接:https://go.coder-hub.com/76578915.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定