hvac python 库 - 无法验证
hvac python library - Unable to authenticate
我有以下 python 代码:
import hvac
import os
client = hvac.Client(url='https://vault.domain.com:8200', token='s.XXXXXXXXXXXXXXXXXXX')
client.is_authenticated()
它不起作用 - 我遇到异常:
Traceback (most recent call last):
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
token 是正确的,因为我可以用它登录保险库。我可以远程登录 https://vault.domain.com:8200 没问题。
版本:
Python 3.6.9
hvac (0.10.5)
有什么想法吗?
如果我将 verify=False 添加到客户端,它会给出
InsecureRequestWarning: Unverified HTTPS request is being made to host 'vault.domain.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
True
消息 certificate verify failed 并不意味着客户端未通过身份验证,这意味着您的客户端无法验证服务器的真实性,因为您没有向它提供任何 CA 证书包来检查服务器的证书.
verify (Union[bool,str]) – Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, or a string pointing at the CA bundle to use for verification.
所以你应该 verify="/path/to/ca_certs.pem".
而不是 verify=False
当您执行 verify=False 时,True 意味着客户端已正确验证,因此您应该能够以这种方式与 Vault 交互,但不验证服务器的证书意味着您容易受到 DNS 欺骗和 MITM 攻击。
我有以下 python 代码:
import hvac
import os
client = hvac.Client(url='https://vault.domain.com:8200', token='s.XXXXXXXXXXXXXXXXXXX')
client.is_authenticated()
它不起作用 - 我遇到异常:
Traceback (most recent call last):
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='vault.domain.com', port=8200): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
token 是正确的,因为我可以用它登录保险库。我可以远程登录 https://vault.domain.com:8200 没问题。
版本:
Python 3.6.9
hvac (0.10.5)
有什么想法吗?
如果我将 verify=False 添加到客户端,它会给出
InsecureRequestWarning: Unverified HTTPS request is being made to host 'vault.domain.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
True
消息 certificate verify failed 并不意味着客户端未通过身份验证,这意味着您的客户端无法验证服务器的真实性,因为您没有向它提供任何 CA 证书包来检查服务器的证书.
verify (Union[bool,str]) – Either a boolean to indicate whether TLS verification should be performed when sending requests to Vault, or a string pointing at the CA bundle to use for verification.
所以你应该 verify="/path/to/ca_certs.pem".
verify=False
当您执行 verify=False 时,True 意味着客户端已正确验证,因此您应该能够以这种方式与 Vault 交互,但不验证服务器的证书意味着您容易受到 DNS 欺骗和 MITM 攻击。