Kiwi TCMS Python API 连接 SSL 错误

Question

当我尝试运行 tcms-api 模块但按照给出的步骤操作时出现以下错误，

https://tcms-api.readthedocs.io/en/latest/modules/tcms_api.html#module-tcms_api

我在 CentOS 中使用 python 3，通过将证书挂载到 docker 容器来应用我们自己的域和证书。

能否请教如何解决 SSL 证书验证失败错误？

[root@KiwiTCMS-Testcase-Portal docker-compose]# python3 test-api.py
Traceback (most recent call last):
  File "test-api.py", line 5, in <module>
    rpc_client = TCMS()
  File "/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/tcms_api/__init__.py", line 123, in __init__
    config['tcms']['url']).server
  File "/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/tcms_api/xmlrpc.py", line 124, in __init__
    self.login(username, password, url)
  File "/opt/rh/rh-python36/root/usr/lib/python3.6/site-packages/tcms_api/xmlrpc.py", line 131, in login
    self.server.Auth.login(username, password)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1112, in __call__
    return self.__send(self.__name, args)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1452, in __request
    verbose=self.__verbose
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1166, in single_request
    http_conn = self.send_request(host, handler, request_body, verbose)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1279, in send_request
    self.send_content(connection, request_body)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/xmlrpc/client.py", line 1309, in send_content
    connection.endheaders(request_body)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1282, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1042, in _send_output
    self.send(msg)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 980, in send
    self.connect()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1448, in connect
    server_hostname=server_hostname)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

Answer 1

我看到您正在使用 RedHat 的 SoftwareCollections 中的 Python 3.6。该版本包含一个错误（或者可以说是一个安全功能），它不尊重上游 Python 中记录的允许您接受不受信任的 SSL 证书的设置。 bugzilla.redhat.com 上报告了很多这样的事情，但我认为他们不会改变它！

这就是我们在测试套件中的做法： https://github.com/kiwitcms/tcms-api/blob/master/tests/krb5/integration_test.py#L18

Answer 2

引入以下行修复问题，

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    # Legacy Python that doesn't verify HTTPS certificates by default
    pass
else:
    # Handle target environment that doesn't support HTTPS verification
    ssl._create_default_https_context = _create_unverified_https_context