如何将自签名证书添加到 PyCharm？

Question

在运行 python-socketio 客户端和 flask-socketio 服务器时，我需要 PyCharm（2019.1.1，在 macOS Mojave 上）接受我的自签名 SSL 证书。

我尝试通过Preferences/Tools/Server Certificates 将自签名证书添加到 PyCharm。但是，它并不能解决问题。当 python-socketio 客户端尝试连接到 flask-socketio 服务器时，它给了我错误。

在客户端，错误是这样抛出的：

Traceback (most recent call last):
  File "message_manager.py", line 218, in run
    namespaces=[self.channel])
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/socketio/client.py", line 262, in connect
    engineio_path=socketio_path)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/engineio/client.py", line 170, in connect
    url, headers, engineio_path)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/engineio/client.py", line 308, in _connect_polling
    if self._connect_websocket(url, headers, engineio_path):
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/engineio/client.py", line 346, in _connect_websocket
    cookie=cookies)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/websocket/_core.py", line 514, in create_connection
    websock.connect(url, **options)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/websocket/_core.py", line 223, in connect
    options.pop('socket', None))
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/websocket/_http.py", line 126, in connect
    sock = _ssl_socket(sock, options.sslopt, hostname)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/websocket/_http.py", line 260, in _ssl_socket
    sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/websocket/_http.py", line 239, in _wrap_sni_socket
    server_hostname=hostname,
  File "/Users/hqiu/anaconda3/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/Users/hqiu/anaconda3/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/Users/hqiu/anaconda3/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

这是服务器端的错误日志：

(82268) accepted ('127.0.0.1', 63087)
8d0d93e8376c44919237c647ceb899b3: Sending packet OPEN data {'sid': '8d0d93e8376c44919237c647ceb899b3', 'upgrades': ['websocket'], 'pingTimeout': 60000, 'pingInterval': 25000}
8d0d93e8376c44919237c647ceb899b3: Sending packet MESSAGE data 0
127.0.0.1 - - [16/Oct/2019 12:44:33] "GET /socket.io/?transport=polling&EIO=3&t=1571238873.310223 HTTP/1.1" 200 349 0.000423    
(82268) accepted ('127.0.0.1', 63093)
Traceback (most recent call last):
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/hubs/kqueue.py", line 105, in wait
    readers.get(fileno, hub.noop).cb(fileno)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/greenthread.py", line 221, in main
    result = function(*args, **kwargs)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/wsgi.py", line 818, in process_request
    proto.__init__(conn_state, self)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/wsgi.py", line 357, in __init__
    self.handle()
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/wsgi.py", line 390, in handle
    self.handle_one_request()
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/wsgi.py", line 419, in handle_one_request
    self.raw_requestline = self._read_request_line()
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/wsgi.py", line 402, in _read_request_line
    return self.rfile.readline(self.server.url_length_limit)
  File "/Users/hqiu/anaconda3/lib/python3.7/socket.py", line 589, in readinto
    return self._sock.recv_into(b)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/green/ssl.py", line 241, in recv_into
    return self._base_recv(nbytes, flags, into=True, buffer_=buffer)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/green/ssl.py", line 256, in _base_recv
    read = self.read(nbytes, buffer_)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/green/ssl.py", line 176, in read
    super(GreenSSLSocket, self).read, *args, **kwargs)
  File "/Users/hqiu/PycharmProjects/gps_simulator/src/venv/lib/python3.7/site-packages/eventlet/green/ssl.py", line 150, in _call_trampolining
    return func(*a, **kw)
  File "/Users/hqiu/anaconda3/lib/python3.7/ssl.py", line 911, in read
    return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2488)

所以我的问题是，如何在 macOS 上将自签名证书添加到 PyCharm 并让 Python 找到它？

请给我一些想法。

Answer 1

我不相信 PyCharm 会将 SSL 证书设置传达给 Python。 Socket.IO 客户端目前不正式支持自签名证书，但已请求。客户端中 SSL 证书相关的两个问题见this 和this。

也就是说，长轮询传输是通过 requests 包实现的，因此您可以设置 REQUESTS_CA_BUNDLE 环境变量来告知有关您的证书的请求。但显然这不适用于 WebSocket。

Answer 2

也许您可以调整系统范围的证书信任设置以接受您的自签名证书。在 macOS 上，这在 Keychain Access 中可用。