添加新的SSL证书来解决validation返回码:20(无法获得本地签发者证书)?

更新:如果我让API调用挂起和键盘中断它,这是它显示它卡住了:

File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake self._sslobj.do_handshake() 

你们确定这不是SSL相关的问题吗?

我一直在收到一个似乎比较常见的错误,那就是“validation返回码:20(无法获得本地签发者证书)”。 在这个线程的帮助下,我发现了一个证书,当我按照这个线程把path传递给一个arg文件时,消除了错误。 现在我怎么永久使这个新的证书像我的默authentication书?

为了清楚起见,“echo”“openssl s_client -connect api.stripe.com:443”产生这个:

 CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFHDCCBASgAwIBAgIQCBKNwt21MdAyGnD9g/FpLzANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDkyNzAwMDAwMFoXDTE1MDEwODEyMDAwMFowajELMAkGA1UE BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz Y28xFTATBgNVBAoTDFN0cmlwZSwgSW5jLjEXMBUGA1UEAxMOYXBpLnN0cmlwZS5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbC50FiFYms4rUoW7o CmW+jw6IUEt1oYyE7bWLMB/rmdGlw3cv7u82WR8HezLH9Fj60NvQhGvAzFYBjRWA +VnF5rxEYS05piwvF0jR1QSpeMzId7GOrHKV125pPuYzp+Mj44e3nr/uP91ICMVn gz6U39OqiU9aBUTI8bhuiqcWK+4M7yQ5j9DGcq/wJISfLSr9zVYxOH75TqaMDFUh EUqaWYpoJatQAYAobATCEVs5uw3T+K0tlRjcxhw5Zx698lajqTGORLwvVcF+ErZ7 ukVNnStu3LyWaR2pMs8zytlx2nepFjIp7m/SCcxTc9GmRY6zubbfo/ih9sjofv2K nye9AgMBAAGjggHAMIIBvDAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD LnN0cmlwZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2Vy dC5jb20vY2EzLWcyNy5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv bS9jYTMtZzI3LmNybDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUF BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMHsGCCsGAQUFBwEBBG8w bTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUF BzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNz dXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEA j1zUdQBzjpMTeexGYpxMLWW4IYcblZeP03V15WnGnpGq5eaLHKDNJ9K7MRIOtDaw K4EVCIO1ru8ojf6eFwcRuozRkbMNSRAYLbFyTS3CWygC1De4vLwuhRxvnpKYcG57 7kgPx+nxIQtQdauL5AinxXMysY8+GZP1qzc2zlSV0MnvW2p5D3g0lb1ZMFQLpzDm ACJcg7xiOrs6lS70EfvcEPrVmRn287aE7b3jEBQ+dkokxNEC0Mi7G4CJQVP1oape wtKjWMSeQA/VdUVuoxoUa gNh7gzLqoc6s7z5HmWVpR1KXiASRFYXsBFeIXnvehJc 6HeLGqB0qcMYHcE8wmJErA== -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 --- No client certificate CA names sent --- SSL handshake has read 4712 bytes and written 443 bytes --- Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: F5EA24F3FE87EA6D4D2D5F8EBBD66811BE85116047AB1111F22968B324698D86 Session-ID-ctx: Master-Key: EEBA4D6255330C751DACE424844778CAA561F9BA339488CB8B32D78047A681B3066DD683A733732AB778EB1C72FB1EE2 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - f0 46 61 22 d7 65 e3 95-e7 4b b3 f6 d6 79 9d 69 .Fa".e...K...yi 0010 - b1 8d 4a a2 a7 97 ba de-68 1a ff 63 f6 2a 64 34 ..J.....h..c.*d4 0020 - 44 e6 01 64 d9 a9 ff 26-32 21 be 49 2a fc 85 42 D..d...&2!.I*..B 0030 - ee eb c8 b1 65 cc 43 be-05 69 e8 d6 5c bd e0 19 ....eC.i..\... 0040 - 57 b3 07 5a d4 6b 90 f2-a0 b4 31 96 1f 41 6d 88 W..Zk...1..Am. 0050 - e3 23 ea b2 33 e3 33 2e-29 33 ab 30 65 a1 eb 6d .#..3.3.)3.0e..m 0060 - 99 66 65 c1 bf 2b e2 25-70 a7 f8 17 c4 4b 8a bd .fe..+.%p....K.. 0070 - cf 37 6a ee 38 dc 96 c5-24 6b 35 40 1c f1 d6 35 .7j.8...$k5@...5 0080 - 64 0f 78 c7 90 98 f8 08-15 81 73 ce d6 e4 3e 38 dx......s...>8 0090 - af 81 51 ef a1 0b 20 95-09 80 af c8 9d 08 14 e3 ..Q... ......... Start Time: 1404582660 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE 

而“echo”| openssl s_client -CApath〜/ Downloads / DigiCertHighAssuranceEVRootCA.crt -connect api.stripe.com:443“产生这样的结果:

 CONNECTED(00000003) depth=3 C = US, O = GTE Corporation, OU = "GTE CyberTrust Solutions, Inc.", CN = GTE CyberTrust Global Root verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3 verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Stripe, Inc.", CN = api.stripe.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFHDCCBASgAwIBAgIQCBKNwt21MdAyGnD9g/FpLzANBgkqhkiG9w0BAQUFADBm MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBDQS0zMB4XDTEzMDkyNzAwMDAwMFoXDTE1MDEwODEyMDAwMFowajELMAkGA1UE BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lz Y28xFTATBgNVBAoTDFN0cmlwZSwgSW5jLjEXMBUGA1UEAxMOYXBpLnN0cmlwZS5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbC50FiFYms4rUoW7o CmW+jw6IUEt1oYyE7bWLMB/rmdGlw3cv7u82WR8HezLH9Fj60NvQhGvAzFYBjRWA +VnF5rxEYS05piwvF0jR1QSpeMzId7GOrHKV125pPuYzp+Mj44e3nr/uP91ICMVn gz6U39OqiU9aBUTI8bhuiqcWK+4M7yQ5j9DGcq/wJISfLSr9zVYxOH75TqaMDFUh EUqaWYpoJatQAYAobATCEVs5uw3T+K0tlRjcxhw5Zx698lajqTGORLwvVcF+ErZ7 ukVNnStu3LyWaR2pMs8zytlx2nepFjIp7m/SCcxTc9GmRY6zubbfo/ih9sjofv2K nye9AgMBAAGjggHAMIIBvDAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD 9zAdBgNVHQ4EFgQUgrT82oRIRdlSABFBqltZv7JNDBAwGQYDVR0RBBIwEIIOYXBp LnN0cmlwZS5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBhBgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2Vy dC5jb20vY2EzLWcyNy5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNv bS9jYTMtZzI3LmNybDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUF BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMHsGCCsGAQUFBwEBBG8w bTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUGCCsGAQUF BzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRIaWdoQXNz dXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEA j1zUdQBzjpMTeexGYpxMLWW4IYcblZeP03V15WnGnpGq5eaLHKDNJ9K7MRIOtDaw K4EVCIO1ru8ojf6eFwcRuozRkbMNSRAYLbFyTS3CWygC1De4vLwuhRxvnpKYcG57 7kgPx+nxIQtQdauL5AinxXMysY8+GZP1qzc2zlSV0MnvW2p5D3g0lb1ZMFQLpzDm ACJcg7xiOrs6lS70EfvcEPrVmRn287aE7b3jEBQ+dkokxNEC0Mi7G4CJQVP1oape wtKjWMSeQA/VdUVuoxoUagNh7gzLqoc6s7z5HmWVpR1KXiASRFYXsBFeIXnvehJc 6HeLGqB0qcMYHcE8wmJErA== -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Stripe, Inc./CN=api.stripe.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 --- No client certificate CA names sent --- SSL handshake has read 4712 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 7ACAFB7EFC59892B2FD356197EE62E8E94F05DA51FAC29C21CA4790D69916169 Session-ID-ctx: Master-Key: 4E58BAB4E6C5C36BFEE31C5AA49AB8B22C6ADB684C3A7A9FC1FE2D899676C5CDF2823C51E35120E61FA04F2291DBBF0D Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 89 ab 9c 38 a7 3e 8a ae-43 22 63 ea fa 5d db 7e ...8.>..C"c..].~ 0010 - b8 31 46 06 ba d7 5f ed-0f f4 58 47 ef 18 9c fc .1F..._...XG.... 0020 - bf a5 ff f0 17 27 15 b0-ab 0e 38 53 6a f2 54 95 .....'....8Sj.T. 0030 - 7a 68 0a f6 78 2d 30 ec-1b 54 27 3f 58 8f b0 59 zh..x-0..T'?X..Y 0040 - 95 93 c1 fb 67 8c 1b 94-85 76 74 59 35 f7 c5 06 ....g....vtY5... 0050 - 2e a1 41 cb 49 c0 6f 3d-77 d5 4b 4a 7f fd 9c d2 ..AIo=w.KJ.... 0060 - 07 4a 52 e6 04 8f 63 9b-fd a6 7b 94 5b 1e 3d 50 .JR...c...{.[.=P 0070 - e3 77 dd b9 da 56 e7 5b-16 09 15 a8 b5 02 b7 07 .w...V.[........ 0080 - 1e 31 39 cb 07 c7 85 45-25 0c a6 d8 10 93 bc 21 .19....E%......! 0090 - e8 0d b9 3c 08 8a 99 ce-75 eb 41 5e fe 5e af 8e ...<....uA^.^.. Start Time: 1404583006 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE 

而后者似乎是为了解决这个问题,只要我能做出这个“永久的”。 解决scheme是将其转换为PEM,并把它放在/usr/lib/ssl/certs/

如果是这样,我有麻烦转换证书到PEM。 我得到以下,我目前正在“研究”:

 $ openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.pem -outform PEM unable to load certificate 3074123452:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE 

编辑:阿,成功地转换为.pem,并将其移动到该目录,并没有什么差别。

对于后台来说,这不是像生产服务器或任何东西,这只是在我的电脑上运行Xubuntu。 我试图运行一个脚本与Stripe的API进行交互时遇到了这个问题。 前一天同样的剧本和葡萄酒一样好。 然后所有的API调用突然开始超时。 我接触了Stripe的支持,这是非常慢的,而这个人给了我一些命令来运行这个问题。 还在等待他们回复,但这似乎是问题所在。 我希望使用我一直下载的证书将允许我再次与Stripe API进行交互,当我做除了“回声”以外的其他事情“| openssl s_client -connect api.stripe.com:443”

如果有人猜测我可能会不经意间突然造成这个问题,我真的很感激。 对于为什么会发生这样的事情,我们大吃一惊。

编辑:

我已经被要求为条纹脚本本身。

 import stripe STRIPE_SECRET = "mys3cretkey" STRIPE_PUBLISHABLE = "testkeypublishable" stripe.api_key = STRIPE_SECRET customer = stripe.Customer.retrieve('cus_4FJ2a8cSopzrwQ') print customer['created'] 

不过,我想重申一下,这个和其他每一个Stripe相关的脚本和动作都在几天前工作得很好。 在这个问题发生之前的几个月里,我一直在做Stripe API调用和networking抓取,以及各种各样的其他事情,对于证书和握手几个月的时候都很不注意。 此外,Stripe的文档提供了API调用的示例,右边是您的密钥和testing信息,因此您可以复制该文件并随意播放。 复制也不起作用。 在我的“本地”环境下进行testing交易也是行不通的。

但是,哈,自从问题开始以来,它已经工作了1/12倍…这很奇怪…

我尝试echo '' | openssl s_client -connect google.com:443 echo '' | openssl s_client -connect google.com:443以及我得到了同样的问题。 所以这就是为什么认为这个问题不是Stripe特有的,虽然他们在连接到他们的API的时候遇到了一些麻烦,但是这些问题在我们面前出现了,他们在Twitter上说的麻烦就解决了。 (而且我们的生产地点很好)。

编辑:被要求提供一点信息。

  1. 事情可能已经改变。 唯一可能会影响到这一点的是,我已经开始使用我的虚拟机了。 注意“更多” – 我以前使用它,运行这些脚本就好了。 这是一个用于.NET工作的Windows 7虚拟机。 (好奇,它运行不佳)。

  2. 条纹错误。 如果我让剧本挂了足够长的时间,我会得到一个追溯到女巫的结尾是这样的:

      File "/usr/local/lib/python2.7/dist-packages/stripe/http_client.py", line 140, in _handle_request_error raise error.APIConnectionError(msg) stripe.error.APIConnectionError: Unexpected error communicating with Stripe. If this problem persists, let us know at support@stripe.com. (Network error: Timeout: HTTPSConnectionPool(host='api.stripe.com', port=443): Read timed out.) 
  3. 脚本和openssltesting都在我的本地机器上,这是我的笔记本电脑。 当我在我们的网站上引用testing事务时,在这里是localhost,与脚本具有相同的StripetestingAPI密钥。

谢谢

    您需要添加s_client应该查找证书的路径,因为它不使用任何默认路径。 这应该工作:

     openssl s_client -CApath /etc/ssl/certs/ -connect api.stripe.com:443 

    应该不需要任何任何证书到/ etc / ssl / certs,因为相关的CA应该已经包含在(X)Ubuntu中。