英文:
SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed : self signed certificate in certificate chain (_ssl.c:992)
问题
I am using python to make a get request to jira cloud rest api to get details of an issue, but getting this SSL verification failed error message, I am using this script
import requestsimport jsonurl = "https://your-domain.atlassian.net/rest/agile/1.0/issue/{issueIdOrKey}"headers = {"Accept": "application/json","Authorization": "Bearer <access_token>"}response = requests.request("GET",url,headers=headers)print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))
error message-
requests.exceptions.SSLError:
HTTPSConnectionPool('host=your-domain.atlasian.net', port=443): Max
retries exceeded with url: /rest/agile/1.0/issue/{issueIdOrKey}
(caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed : self signed
certificate in certificate chain (_ssl.c:992)')))
Suggest me possible ways to resolve this issue.
Thank you!
英文:
I am using python to make a get request to jira cloud rest api to get details of an issue, but getting this SSL verification failed error message, I am using this script
import requestsimport jsonurl = "https://your-domain.atlassian.net/rest/agile/1.0/issue/{issueIdOrKey}"headers = {"Accept": "application/json","Authorization": "Bearer <access_token>"}response = requests.request("GET",url,headers=headers)print(json.dumps(json.loads(response.text), sort_keys=True, indent=4, separators=(",", ": ")))
error message-
> requests.exceptions.SSLError:
> HTTPSConnectionPool('host=your-domain.atlasian.net', port=443): Max
> retries exceeded with url: /rest/agile/1.0/issue/{issueIdOrKey}
> (caused by SSLError(SSLCertVerificationError(1, '[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed : self signed
> certificate in certificate chain (_ssl.c:992)')))
Suggest me possible ways to resolve this issue.
Thank you!
答案1
得分: 1
"self signed certificate in certificate chain" 意味着证书链验证失败。您的脚本不信任证书或其颁发者之一。有关更多信息,请参阅Platform Engineer的SSL起步指南。
Tzane的答案包含了大部分您需要的信息。但看起来您可能还想知道要添加哪个证书。
因此,首先获取CA证书以及任何中间证书,可以通过在命令行上运行以下命令来完成:
openssl s_client -connect your-name.atlassian.net:443 -showcerts
在输出中,有一个以Certificate chain开头的块。我从Atlassian.net获得的输出只包括服务器证书和CA证书。
有一些以以下方式开头的输出块:
-----BEGIN CERTIFICATE-----
并以以下方式结束:
-----END CERTIFICATE-----
这些块,包括我刚刚显示的行,都是证书。复制最后一个证书并创建一个.pem文件,例如ca-root.pem。将其放在与您的Python文件相同的目录中,然后更新您的请求块如下:
verify = "ca-root.pem"response = requests.request("GET",url,headers=headers,verify=verify)
希望这能帮助您。
----- 更新 -----
使用您提供的域名 msci.atlassian.net,我获得了此时由Digital Cert提供的CA证书。
-----BEGIN CERTIFICATE-----MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBSU0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6aqXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddng9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuWraKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGBAfr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21reacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEBMAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IBAQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3zax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7hqG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbCEXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius<details><summary>英文:</summary>`self signed certificate in certificate chain` means that certificate chain validation has failed. Your script does not trust the certificate or one of its issuers. For more information see [Beginning with SSL for a Platform Engineer][2].The answer from [Tzane][1] had most of what you need.But it looks like you also might want to know WHAT certificate to add.So, first get the CA certificate, and any intermediate certs by running the following on a command line:```bashopenssl s_client -connect your-name.atlassian.net:443 -showcerts
In the output there is a block that starts with Certificate chain. The output I got from Atlassian.net had only a server cert and CA cert.
There are blocks of output that start with
-----BEGIN CERTIFICATE-----
and end with
-----END CERTIFICATE-----
These blocks, including the lines I just showed, are a certificate.
Copy the last certificate and create a pem file e.g. ca-root.pem. Place this in the same directory as your python file and then update your requests block to be:
verify = "ca-root.pem"response = requests.request("GET",url,headers=headers,verify=verify)
Hope this helps.
----- UPDATE -----
Using the domain you provided, msci.atlassian.net, I have the CA cert provided at this time by Digital Cert.
-----BEGIN CERTIFICATE-----MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBSU0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6aqXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddng9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuWraKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGBAfr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21reacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEBMAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IBAQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3zax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7hqG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbCEXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697EA7sKPPcw7+uvTPyLNhBzPvOk-----END CERTIFICATE-----
答案2
得分: 0
我们之前在另一个Web API上遇到了类似的证书问题,它在某些机器上随机出现。我们最终采取的做法是从Let's Encrypt获取ISRG Root X1,并手动将其传递给请求。
verify = "isrgrootx1.pem"response = requests.request("GET",url,headers=headers,verify=verify)
英文:
We had a similar cert issue with another web API that came up randomly on some machines. What we ended up doing is getting the ISRG Root X1 from Let's Encrypt and passing it manually to the request
verify = "isrgrootx1.pem"response = requests.request("GET",url,headers=headers,verify=verify)
答案3
得分: 0
出现这样的证书问题(链中的自签名证书)来自这样一个公共网站,看起来像是你在企业代理后面。是这样吗?
你可以简单地检查一下,如果你在家里或热点连接到互联网而不在代理后面,如果可以正常工作,那么这可能就是问题所在。
你也可以进一步调试,运行 curl -v <URL>。它会显示一些额外的证书信息。
要解决这个问题,你需要信任你公司的 CA 证书,这样由这个根 CA 签名的证书才会被信任。这里是在 Ubuntu 上的操作步骤:
导入公司证书通常是由IT部门协助完成的。不同操作系统的流程不同,但一般来说(我会给出一个Linux的示例),操作如下:
- 你需要获取根 CA 证书。这是公司用来签署证书的证书。你的IT部门可能会有它,或者知道你可以从哪里获取它。这是一个以
.crt为后缀的文件。 - 你将这个文件放在指定的位置,具体位置取决于你的操作系统。对于Ubuntu来说,这将是
/usr/local/share/ca-certificates。 - 运行
sudo update-ca-certificates来更新操作系统的证书。
如果你在Docker内运行,流程是相同的,但根据操作系统类型可能会有所不同。
英文:
Getting certificate issues like that (self signed certificate in chain) from such a public website smells like you're behind a corporate proxy. Is that the case?
You can simply check that if you connect to the internet from your home, or hotspot, without being behind proxy. If it works - then that's your problem.
You can also debug it further running curl -v <URL>. It will display some additional cert information.
To solve it, you need to trust your company CA certificate so certificates signed by this root CA are trusted. Here's a to do it on Ubuntu
Importing a company certificate is something usually the IT department helps with. The process is different between OS's, but in general (and I'll give a Linux example below) this is how it goes:
- You need to get the root CA certificate. This is a certificate the company signs certificate with. Your IT will probably have it, or the knowledge where you can get it from. This is a file with
.crtsuffix - You put this file in designated location, depending on your OS. For Ubuntu this would be
/usr/local/share/ca-certificates - Run
sudo update-ca-certificatesto update OS certificates
If you're running inside Docker, the process is the same and again, it might be different depending on the OS type.
答案4
得分: 0
你是否在请求中使用了YOUR域名?
根据错误信息,看起来你试图在请求中使用虚构的域名 my-domain.atlassian.net 和 your-domain.atlassian.net。
英文:
Are you using YOUR domain name in the request?
From the errors, it looks like you're trying to use the fictitious domains my-domain.atlassian.net and your-domain.atlassian.net in your request.
答案5
得分: 0
- 尝试执行
ping <your-domain>.atlassian.net并确保可以正常访问 - 如果你正在使用 VPN,请尝试关闭它,因为 VPN 可能会导致自签名证书引发各种问题
- 否则,请检查用于 Python 的环境变量...附上了一个我们在处理这些问题时使用过的简短脚本
if [ -w /etc/ssl/certs ]thenCERT_PATH=/etc/ssl/certs/certs.pemelseCERT_PATH=~/.certs.pemfisecurity export -t certs -f pemseq -k login.keychain-db -o $CERT_PATHecho "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.bash_profileecho "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.zshrc
英文:
- Try doing
ping <your-domain>.atlassian.netand ensuring it can get through - If you're on VPN try turning it off because VPN can do self-signed certs that cause all kinds of issues
- Otherwise check out your env variables which are used by python...attaching a short script we've used when dealing with these issues
if [ -w /etc/ssl/certs ]thenCERT_PATH=/etc/ssl/certs/certs.pemelseCERT_PATH=~/.certs.pemfisecurity export -t certs -f pemseq -k login.keychain-db -o $CERT_PATHecho "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.bash_profileecho "\nexport REQUESTS_CA_BUNDLE=$CERT_PATH" >> ~/.zshrc
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论