Python

easy_install 和 pip 失敗並出現 SSL 警告

  • May 2, 2018

我正在照顧一些 RHEL6 伺服器並嘗試將它們設置為使用內部 PyPi 伺服器(由 Nexus 3 代理)。

問題是我們內部的 PyPi 伺服器是同一個 Nginx 伺服器上的幾個 SSL VHost 之一,而 Python 2.6 不兼容 SNI;因此,easy_install 失敗,因為它試圖從錯誤的 Vhost URL 下載,並且 pip 失敗並出現 SNIMissingWarning 和 InsecurePlatformWarning。

我查看了https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings上的建議,但這似乎是您自己腳本的解決方法;它沒有解決 Python 本身的問題。無論如何,我安裝了 urllib3 和相關的軟體包,但問題仍然存在。

[root@foo.internal ~]# pip install --index https://nexus3.internal/repository/pypi-proxy/simple twine
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting twine
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
 SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
 InsecurePlatformWarning
 Could not fetch URL https://nexus3.internal/repository/pypi-proxy/simple/twine/: There was a problem confirming the ssl certificate: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - skipping
 Could not find a version that satisfies the requirement twine (from versions: )
No matching distribution found for twine

只需查看錯誤消息中提供的連結即可;)

https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning

SNIMissingWarning

這發生在早於 2.7.9 的 Python 2 版本上。這些舊版本缺乏 SNI 支持。這可能會導致伺服器提供客戶端認為無效的證書。按照pyOpenSSL指南解決此警告。


pyOpenSSL 連結返回:

Python 2 中的證書驗證

較舊版本的 Python 2 使用 ssl 模組建構,該模組缺乏 SNI 支持,並且可能落後於安全更新。由於這些原因,建議使用 pyOpenSSL。

如果您使用安全附加組件安裝 urllib3,則將安裝 Python 2 上證書驗證所需的所有包:

pip install urllib3[secure]

如果要手動安裝軟體包,則需要pyOpenSSLcryptographyidnacertifi

引用自:https://serverfault.com/questions/866062