I need to use custom root certificates on the company intranet and loading them in the Mac OS TrustStore (KeyChain) does solve the problem for all browsers and GUI apps.

我需要在公司内部网上使用自定义根证书，并将它们加载到Mac OS TrustStore(KeyChain)中，确实解决了所有浏览器和图形用户界面应用程序的问题。

It seems that it works even with the version of curl that ships with Mac OS X but it doesn't work with python, even the version that ships with Mac OS 10.12 Sierra (Python 2.7.10)

似乎它甚至可以与Mac OS X附带的cURL版本一起工作，但它不能与Python一起工作，即使是Mac OS 10.12 Sierra(Python2.7.10)附带的版本也是如此。

Still, it seems that I would be hit by:

不过，我似乎会被击中：

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

How can I solve this?

Because I encounter this issue in lots and lots of Python tools. I would really appreciate if I find a way to avoid it without having to patch them.

因为我在很多很多的Python工具中都遇到了这个问题。如果我能找到一种不需要修补的方法来避免它，我会非常感激的。

Providing the custom CA certificate myself is not an option because I cannot patch tens of Python tools that I use.

我不能自己提供定制的CA证书，因为我无法修补我使用的数十个Python工具。

Most of the tools are using the requests library but, there are a few that are using the native ssl support in Python directly.

大多数工具都使用requests库，但也有一些直接使用Python中的原生ssl支持。

优秀答案推荐

This is also a problem in Python 3.6 with MacOS Sierrra. I know your use case is different. But I stumbled upon this thread while investigating this problem. So if anyone is also having this article is worth checking out:

在带有MacOS Sierrra的Python3.6中，这也是一个问题。我知道您的用例有所不同。但我在调查这个问题时偶然发现了这个帖子。因此，如果有人也有这篇文章值得一查：

http://www.cdotson.com/2017/01/sslerror-with-python-3-6-x-on-macos-sierra/

Http://www.cdotson.com/2017/01/sslerror-with-python-3-6-x-on-macos-sierra/

In a nutshell: Python 3.6 does not rely on MacOS' openSSL anymore. It comes with its own openSSL bundled and doesn't have access on MacOS' root certificates.

简而言之：Python3.6不再依赖MacOS的OpenSSL。它自带捆绑的OpenSSL，不能访问MacOS的根证书。

You have two options:

您有两个选择：

Run an install command shipped with Python 3.6

运行随Python3.6提供的安装命令

cd /Applications/Python\ 3.6/
./Install\ Certificates.command

or

或

Install the certifi package with

使用安装证书包

pip install certifi

I chose the first option and it worked.

我选择了第一个选项，它奏效了。

Run this to set the appropriate variables. This is a combination of the answers that have already been given here. Put it in your ~/.bash_profile to make it permanent.

运行此命令以设置适当的变量。这是已经在这里给出的答案的组合。将其放在您的~/.bash_个人资料中以使其成为永久性的。

CERT_PATH=$(python -m certifi)
export SSL_CERT_FILE=${CERT_PATH}
export REQUESTS_CA_BUNDLE=${CERT_PATH}

Mac brew install python env.

Mac BREW安装python env。

$ python3
Python 3.7.3 (v3.7.3:ef4ec6ed12, Mar 25 2019, 16:52:21) 
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/certifi/cacert.pem'
>>> 

Or from the command line:

或从命令行执行以下操作：

$ python -m certifi

then need link cacert.pem as cert.pem

然后需要将cacert.pem链接为cert.pem

$ ln -s /Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/certifi/cacert.pem cert.pem
$ pwd
/Library/Frameworks/Python.framework/Versions/3.7/etc/openssl

rehash

then work fine.

那就好好干吧。

This was intended as an edit to an existing question, but since the queue was already full, posting as a separate answer.

这是为了对现有问题进行编辑，但由于队列已经满了，因此作为单独的答案发布。

Tested on MacOS 12.3.1 with python 3.10 installed with MacPorts.

在MacOS 12.3.1上进行了测试，并使用MacPorts安装了Python 3.10。

If you prefer to trust root CA according to your OS, export them from System Roots keychain into a single file:

如果您更喜欢根据您的操作系统信任根CA，请将它们从系统根密钥链导出到单个文件中：

security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o bundleCA.pem

If, additionally, you want to trust some internal self-signed CAs, export them, too. They are probably stored under the System keychain:

此外，如果您希望信任一些内部自签名CA，也可以将其导出。它们可能存储在系统密钥链下：

security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o selfSignedCAbundle.pem

Merge the two files:

合并这两个文件：

cat bundleCA.pem selfSignedCAbundle.pem >> allCAbundle.pem

Export as bash variable

导出为bash变量

export REQUESTS_CA_BUNDLE=/path/to/allCAbundle.pem

Consider adding the last code snippet to your .bash_profile

考虑将最后一个代码片段添加到您的.bash_配置文件中

Note that REQUESTS_CA_BUNDLE works only for a single file, and does not for a directory.

请注意，REQUESTS_CA_BRAND仅适用于单个文件，而不适用于目录。

If you put the additional certificates in a PEM bundle file you can use these two environment variables to overwrite the default cert stores used by Python openssl and requests.

如果将额外的证书放在一个PEM捆绑包文件中，则可以使用这两个环境变量来覆盖由Python OpenSSL和请求使用的默认证书存储。

SSL_CERT_FILE=/System/Library/OpenSSL/cert.pem
REQUESTS_CA_BUNDLE=/System/Library/OpenSSL/cert.pem

Please note that this file does not exist, you need to build it yourself.

请注意，此文件不存在，您需要自己构建它。

I see a lot of answers out there recommend to turn off certificate validation or to use certifi.where.
While turning off SSL is obvious risk. certifi.where is also a risk, mainly if you intend to make this code a production code that will run in a customer env.

我看到很多答案建议关闭证书验证或使用证书。而关闭SSL显然是有风险的。认证。这也是一个风险，主要是如果您打算使此代码成为将在客户环境中运行的产品代码。

PEP describing why it is wrong.
ssl.create_default_context is well integrate with linux and windows trustStore. the problem is, as in your case with mac.
I solve this by loading the certificates using the integrated security commandline tool

PEP描述了为什么它是错误的。Ssl.create_Default_Context与Linux和Windows TrustStore完美集成。问题是，就像你在Mac上的情况一样。我通过使用集成的安全命令行工具加载证书来解决这个问题

def create_macos_ssl_context():
    import subprocess
    import ssl
    import tempfile
    ctx = ssl.create_default_context()
    macos_ca_certs = subprocess.run(["security", "find-certificate", "-a", "-p",
                                     "/System/Library/Keychains/SystemRootCertificates.keychain"],
                                    stdout=subprocess.PIPE).stdout

    with tempfile.NamedTemporaryFile('w+b') as tmp_file:
        tmp_file.write(macos_ca_certs)
        ctx.load_verify_locations(tmp_file.name)
    print(ctx.get_ca_certs())

Note that this gives you the systemRoot certificates. if you need the user than simply change the value in the security command

请注意，这将为您提供systemRoot证书。如果需要用户，只需更改security命令中的值即可

As an update and datapoint, I ran into this issue running Python 3.7.0 on macOS 10.13.4:

作为更新和数据点，我在MacOS 10.13.4上运行Python3.7.0时遇到了这个问题：

$ ipython
Python 3.7.0 (v3.7.0:1bf9cc5093, Jun 26 2018, 23:26:24)
Type 'copyright', 'credits' or 'license' for more information
IPython 7.0.1 -- An enhanced Interactive Python. Type '?' for help.

In [1]: import bokeh.sampledata

In [2]: bokeh.sampledata.download()
Using data directory: /Users/me/.bokeh/data

...
SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)

Instructions for solving the problem are in /Applications/Python\ 3.7/ReadMe.rtf

解决该问题的说明位于/Applications/Python\3.7/ReadMe.rtf中

Following the suggestion there and running /Applications/Python\ 3.7/Install\ Certificates.command solved the problem:

按照上面的建议，运行/Applications/Python\ 3.7/Install\ Certificates.命令解决了这个问题：

From the terminal:

从航站楼：

$ /Applications/Python\ 3.7/Install\ Certificates.command

Re-starting IPython...

正在重新启动IPython...

$ ipython
>>> import bokeh.sampledata

>>> bokeh.sampledata.download()
Using data directory: /Users/me/.bokeh/data
Downloading: CGM.csv (1589982 bytes)
   1589982 [100.00%]
...

For me /Applications/Python\ 3.6/./Install\ Certificates command fails on pip certifi install. I am on mac High Sierra and use python3 so pip somewhat fails and I have to use pip3 instead.

对于我/应用程序/Python\ 3.6/./安装\证书命令在pip certifici安装时失败。我在Mac High Sierra上使用Python 3，所以pip有点失败，我不得不使用pip 3。

So here what I did:

所以我是这么做的：

1. Manually ran pip3 install --update certify in a shell


2. Remove the install certifi line from the command script


3. Reran the script and everything was fine.

Note that you will end up with a cert.pem symbolic link in: /Library/Frameworks/Python.framework/Versions/3.6/etc/openssl/

请注意，您将在以下位置得到一个cert.pem符号链接：/Library/Frameworks/Python.framework/Versions/3.6/etc/openssl/

Solution for MacOS or Linux with latest Python versions installed either as standalone or via port or brew

Download certificates from Certifi project at https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem. FYI Certifi is a 3rd party library that provides Mozilla’s curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.

从证书项目下载证书，网址为https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem.FYI certifi是一个第三方库，它提供了Mozilla精心策划的根证书集合，用于在验证TLS主机身份的同时验证SSL证书的可信度。

Then add to your ~/.zshrc on the latest MacOS or ~/.bash_profile or similar:

然后在最新的MacOS或~/.bash_profile或类似版本上添加到您的~/.zshc：

export SSL_CERT_FILE=/pathtodownloadedfile/cacert.pem
export REQUESTS_CA_BUNDLE=/pathtodownloadedfile/cacert.pem

In my case only installing "Install Certificates.command" solved this issue using MAC OS

在我的例子中，使用MAC OS只需安装“安装证书.命令”就解决了这个问题

Update SSL certificate with certifi (MacOS only)

使用证书更新SSL证书(仅限MacOS)

All we would have to do is to run command with the following piece of code:

我们所要做的就是使用以下代码运行命令：

- Press "command + space" button or open Spotlight
- type "Install Certificates.command" 

What this command does is update our system’s SSL certificate directory for MacOS.

此命令所做的是为MacOS更新我们系统的SSL证书目录。