Ubuntu 16.04 在生产环境中上传文件时,jenkins 作业中出现 ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败 (_ssl.c:590) 错误
在我的 .py 文件中,我导入了 httplib 和 urllib,并在 ubuntu 16.04 上运行了 Jenkins 作业,作业生成在 cent os 7 上
我有以下 21 行 Python 代码:-
import httplib
import urllib
import os
import base64
AN=os.getenv("ACCESSNAME")
AP=os.getenv("ACCESSKEY")
U= 'login=%s&password=%s'%( 'Uname' , 'passwd' )
R = {'Authorization':'Basic '+base64.b64encode('%s:%s'%('Uname' , 'passwd' ))}
serverid = '192.168.0.*'
portno = 443
check_path='/store/shared/united_states'
h1=httplib.HTTPSConnection(serverid,portno)
if serverid=='192.168.0.*':
h1.request('GET',"%s?%s"%(urllib.quote(check_path),U), None,R )
print "connection successfull"
else:
print "using 2ndUname login"
h1.request('GET',check_path+'?login=2ndUname&password=passwd',None,{})
r1 = h1.getresponse()
statuscode=r1.HTTPS_PORT
print statuscode
它适用于 Ubuntu 12.04,但不能适用于 Ubuntu 16.04。在 Ubuntu 16.04 上会出现错误“ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败 (_ssl.c:590)”
证书详细信息:
CONNECTED(00000003)
---
Certificate chain
0 s:/C=IE/ST=Dublin/L=Dublin/O=Default Company Ltd
i:/C=IE/ST=Dublin/L=Dublin/O=Default Company Ltd
-----BEGIN CERTIFICATE-----
MIIDFjCCAf4CCQCgG89C0FwA9zANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJJ
RTEPMA0GA1UECAwGRHVibGluMQ8wDQYDVQQHDAZEdWJsaW4xHDAaBgNVBAoME0Rl
ZmF1bHQgQ29tcGFueSBMdGQwHhcNMTgwMjEyMTYxNjU4WhcNMTkwMjEyMTYxNjU4
WjBNMQDVQQ1UECAwGRHVibGluMQ8wDQYDVQQHDAZEdWJswecffcerqwethhyrrre
aW4xHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDp/GMnHTBzlVNIG/WjhLupxlWnQKL08AaYVo/6USav
jFcUFMupRuI4IMK2nuR4GUkQ6aYkqO8Vm83MokwVnSk+FVGs4mHkpcRwAuhQ61CD
vw9ZfSGJ3kaXbrcgZrtpjsNH5P3pne4/L73WI2fuQyDMVyoJFjbhQe/88qm/tXGS
qKxbdK/AtJkd/M1O7wd3GQzmklGTaabxP64Aut6zdq3ZUzs3r5yf5tsqre32rd2r
Uck3pUcmFW1MaYcwPbXNoOGFXWHWH+G8OliZd7y/y79MMW3YLrmzxxbcODccXih8
8mqMB8jd9UzOcI1XPCxgJ/VX6363yQqa1ih2oWNGqMEtAgMBAAEwDQYJKoZIhvcN
AQELBQADggEBAD32ABRkmFiVqg72XBsF0rq/BAhkjsgMZCyjrLdrYLMpkmPlvFbj
Qz6ZoXDuBup6+QrlekhAYHJPs0vVv/9yffHymBmX7nnYSiOdKt1e233rvyjg3234
76I3ZVp42hDqZpmlycQ6+sILOQYCh/9zgJMD8yXmptYk9AnM4T1fXacqbRUw760E
vUZJDNyE4l7hbsWlJ9cqio2ITHM4mSYGPtihDSyD6ZhO22ny4Xed2pzmVTwjUfbq
fg7pdhiv93gpc+W896b8oay6HGO9q0g1DsGt7RdINbnHk+srCcBinZpn+HEqFqBi
q6vCYoqH7NVMQ4/y6M3tvqb1xg2TOI9VWno=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=IE/ST=Dublin/L=Dublin/O=Default Company Ltd
issuer=/C=IE/ST=Dublin/L=Dublin/O=Default Company Ltd
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1485 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: A986151BD77C7B6BCC96E87C88C9463A794A3A9C34CA6AAE0B3012E5BCCC9053
Session-ID-ctx:
Master-Key: 5899F9E0C15D2CE071A8F6DBF36FD74F1137BA492A3D6383D7A0D5A36F46AB993CC5F740E87440C21B54ABCE3F7B6DC1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bd b6 8a 7d 9e ed 63 09-f4 93 4b e4 ad 4e e5 5c ...}..c...K..N.\
0010 - dd a9 69 2a ce 10 3c 81-df 14 b5 c1 2f 44 79 0c ..i*..<...../Dy.
0020 - 06 46 7d e4 c0 99 9c 23-32 6c b9 4b 85 b6 e6 6b .F}....#2l.K...k
0030 - 44 ae 14 44 6c 0a 22 4b-0f 25 24 80 d2 72 49 dd D..Dl."K.%$..rI.
0040 - 25 1f 07 91 f4 fe 40 3d-e6 1a 60 c3 30 83 88 71 %.....@=..`.0..q
0050 - 05 dd a1 89 41 47 33 0d-8f 09 16 69 f1 bb 5a c7 ....AG3....i..Z.
0060 - da 7a 5c e7 fb a5 53 f5-09 9c de 50 c3 de ac f7 .z\...S....P....
0070 - 09 27 29 32 c3 d3 99 6a-d8 50 3c 06 a2 7a e5 ce .')2...j.P<..z..
0080 - 3b 77 12 7e 9f b6 c1 cb-42 ff a2 44 aa 89 a9 13 ;w.~....B..D....
0090 - f6 b7 94 71 86 db ff af-6d 95 bb 3b 9e 0e 3f 4a ...q....m..;..?J
00a0 - 6c df 87 7a fc 9b 94 48-17 8b 24 db 9f 4c 84 e8 l..z...H..$..L..
00b0 - b6 4c 11 6b be 55 84 8e-f8 0d 44 b4 6f b0 9f 81 .L.k.U....D.o...
Start Time: 1553235005
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
HTTP/1.1 400 Bad Request
Date: Fri, 22 Mar 2019 06:14:21 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
答案1
尝试运行以下命令:
$ sudo update-ca-certificates --fresh
$ export SSL_CERT_DIR=/etc/ssl/certs
答案2
根据您提供的输出,您的证书已过期。此外,它在组织字段中有一些可疑的条目,所以我猜它也是自签名的……
例如从 Let's Encrypt 获取一个新的有效证书,或者在您的公司内配置一个有效的 PKI 结构,例如使用 EasyRSA。