python - 如何使 pipenv 安装使用防火墙的 SSL 证书?
问题描述
坐在带有 SSL 解密的非常严格的防火墙后面,我通常使用这些选项安装 python 包(在 macOS 10.15 上)pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <packagename>
。但pipenv install --trusted-host pypi.org --trusted-host files.pythonhosted.org <packagename>
不起作用:
pipenv.vendor.requirementslib.exceptions.RequirementError:从“--trusted-host”解析需求失败
由于忽略 SSL 不起作用,我尝试将防火墙的证书放入文件夹并设置 REQUESTS_CA_BUNDLE=/path/to/company/certificates.pem 但没有成功(也许我做错了)。用户@Shanti在这个问题上发表了有希望的评论,但我不知道他是如何完成将证书提供给 pipenv 的。
因此,最重要的是,我正在寻找一种让 pipenv 使用我的防火墙证书的方法。
编辑:这是运行 pipenv install 时的输出:
Creating a virtualenv for this project…
Pipfile: /Users/admin/Code/test/Pipfile
Using /Users/admin/.pyenv/versions/3.8.6/bin/python3.8 (3.8.6) to create virtualenv…
⠧ Creating virtual environment...created virtual environment CPython3.8.6.final.0-64 in 404ms
creator CPython3Posix(dest=/Users/admin/.local/share/virtualenvs/test-NSydZlln, clear=False, global=False)
seeder FromAppData(download=False, pip=bundle, setuptools=bundle, wheel=bundle, via=copy, app_data_dir=/Users/admin/Library/Application Support/virtualenv)
added seed packages: pip==20.2.4, setuptools==50.3.2, wheel==0.35.1
activators BashActivator,CShellActivator,FishActivator,PowerShellActivator,PythonActivator,XonshActivator
✔ Successfully created virtual environment!
Virtualenv location: /Users/admin/.local/share/virtualenvs/test-NSydZlln
Pipfile.lock not found, creating…
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Building requirements...
Resolving dependencies...
✘ Locking Failed!
Traceback (most recent call last):
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/contrib/pyopenssl.py", line 488, in wrap_socket
cnx.do_handshake()
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
_raise_current_error()
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/connectionpool.py", line 670, in urlopen
httplib_response = self._make_request(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/connectionpool.py", line 381, in _make_request
self._validate_conn(conn)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/connectionpool.py", line 976, in _validate_conn
conn.connect()
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/connection.py", line 361, in connect
self.sock = ssl_wrap_socket(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/util/ssl_.py", line 377, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/contrib/pyopenssl.py", line 494, in wrap_socket
raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/connectionpool.py", line 724, in urlopen
retries = retries.increment(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/urllib3/util/retry.py", line 439, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /pypi/wheel/json (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/resolver.py", line 807, in <module>
main()
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/resolver.py", line 802, in main
_main(parsed.pre, parsed.clear, parsed.verbose, parsed.system, parsed.write,
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/resolver.py", line 785, in _main
resolve_packages(pre, clear, verbose, system, write, requirements_dir, packages)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/resolver.py", line 746, in resolve_packages
results, resolver = resolve(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/resolver.py", line 728, in resolve
return resolve_deps(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/utils.py", line 1378, in resolve_deps
results, hashes, markers_lookup, resolver, skipped = actually_resolve_deps(
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/utils.py", line 1096, in actually_resolve_deps
results = resolver.clean_results()
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/utils.py", line 1002, in clean_results
collected_hashes = self.collect_hashes(ireq)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/utils.py", line 885, in collect_hashes
r = session.get(pkg_url, timeout=10)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/requests/sessions.py", line 543, in get
return self.request('GET', url, **kwargs)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/requests/sessions.py", line 643, in send
r = adapter.send(request, **kwargs)
File "/Users/admin/.pyenv/versions/3.8.6/lib/python3.8/site-packages/pipenv/vendor/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /pypi/wheel/json (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
解决方案
如评论中所述,设置环境变量可以解决问题。它应该如下所示:
export REQUESTS_CA_BUNDLE=/path/to/certificates.pem
完整的链条
在 certificate.pem 中,您必须有一个包含根证书的完整链。因此,certificates.pem 应该如下所示:
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
...
您可以将文件拆分为后缀为 .pem 的单个文件,包括开始和结束标记,如下所示:
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
在 Finder 中,您现在可以选择单个 .pem 文件,输入 <alt> + <tab> 以便查看每个证书的内容。该链必须是完整的,例如,当您查看“Common Name”下的“Issuer”部分时,您应该找到每个证书对应的签名证书。
如果缺少一个或多个,请使用Keychain Access应用程序 (/Applications/Utilities/) 搜索缺少“通用名称”的证书,以 .PEM 格式导出证书并将生成的文件附加到您的末尾证书.pem 文件。
测试
本地测试如下:
- 设置 HTTPS 代理(在本例中为 Charles)
- 将 Charles 证书保存在 .pem 文件中
- 尝试调用
pipenv install requests
(或任何其他包),它失败了SSLCertVerificationError
- 设置
REQUESTS_CA_BUNDLE
环境变量 - 再次调用
pipenv install requests
-> 工作
截屏
推荐阅读
- flutter - 对于插件 url_launcher,flutter run 在 mac os 上确实失败了
- reactjs - 错误:引发了跨域错误。错误:应该设置一个秘密
- flutter - PlatformException(no_fragment_activity, local_auth 插件要求活动是 FragmentActivity., null) 在颤动
- azure - 通过 Powershell 注册 Azure AD 应用程序:如何确保正确的权限?
- html - 如何在css中隐藏div类
- android - Android R 已弃用 AsyncTask。有任何替代代码吗?
- sql - 选择每个类别的所有项目,但仅选择每个类别的最新日期
- javascript - Nodejs 提供的静态文件的字符串插值
- python - 查找与 OOV 词最相似的词
- elasticsearch - 使用 kibana 可视化日志字段