SSL on awka https://my-garden-8a5.pages.dev/tags/ssl/ Recent content in SSL on awka Hugo -- gohugo.io en-us Sun, 19 Apr 2026 00:00:00 +0000 一次 SSL 证书问题排查小结 https://my-garden-8a5.pages.dev/posts/nanobot-gateway-ssl-error/ Sun, 19 Apr 2026 00:00:00 +0000 https://my-garden-8a5.pages.dev/posts/nanobot-gateway-ssl-error/ <p>今天解决了一个 nanobot gateway 启动失败的问题,记录一下排查过程和学到的东西。</p> <h2 id="问题现象">问题现象 </h2><p>启动 <code>nanobot gateway</code> 时报错:</p> <pre tabindex="0"><code>ssl.SSLCertVerificationError: certificate verify failed: self-signed certificate in certificate chain </code></pre><h2 id="排查过程">排查过程 </h2><h3 id="第一反应代理问题">第一反应:代理问题? </h3><p>因为错误是 &ldquo;self-signed certificate&rdquo;,第一反应是 Clash Party 的 HTTPS 拦截又在搞事情。之前确实碰到过类似问题。</p> <p>于是:</p> <ol> <li>重启 Clash Party</li> <li>排除飞书相关域名</li> <li>完全退出飞书应用</li> </ol> <p>然并卵。</p> <h3 id="柳暗花明">柳暗花明 </h3><p>最后用 <code>ssl.get_default_verify_paths()</code> 检查 Python 的 SSL 配置:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#f92672">&gt;&gt;&gt;</span> <span style="color:#f92672">import</span> ssl </span></span><span style="display:flex;"><span><span style="color:#f92672">&gt;&gt;&gt;</span> ssl<span style="color:#f92672">.</span>get_default_verify_paths() </span></span><span style="display:flex;"><span>DefaultVerifyPaths(cafile<span style="color:#f92672">=</span><span style="color:#66d9ef">None</span>, capath<span style="color:#f92672">=</span><span style="color:#66d9ef">None</span>, </span></span><span style="display:flex;"><span> openssl_cafile<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;/Library/Frameworks/Python.framework/Versions/3.12/etc/openssl/cert.pem&#39;</span>, </span></span><span style="display:flex;"><span> openssl_cafile_env<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;SSL_CERT_FILE&#39;</span>, <span style="color:#f92672">...</span>) </span></span></code></pre></div><p><strong>问题找到了</strong>:Python 期望证书在 <code>/Library/Frameworks/Python.framework/Versions/3.12/etc/openssl/cert.pem</code>,但这个文件不存在!</p> <p>macOS 系统的证书实际在 <code>/etc/ssl/cert.pem</code>(由 Apple 维护,6000+ 根证书)。</p> <h2 id="解决">解决 </h2><p>设置环境变量:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>export SSL_CERT_FILE<span style="color:#f92672">=</span>/etc/ssl/cert.pem </span></span></code></pre></div><p>添加到 <code>~/.zshrc</code> 永久生效。</p> <h2 id="学到的教训">学到的教训 </h2><ol> <li><strong>不要先入为主</strong>:&ldquo;self-signed certificate&rdquo; 不一定是中间人攻击,也可能是证书路径没配好</li> <li><strong>Python SSL 排查</strong>:第一时间检查 <code>ssl.get_default_verify_paths()</code> 能快速定位</li> <li><strong>macOS Python 的坑</strong>:系统自带的 Python(官方安装包)没有正确配置系统证书路径,Homebrew 版会好一些</li> </ol> <hr> <p>问题虽然简单,但排查方向跑偏了半小时。下次遇到 SSL 错误会先检查证书路径配置。</p>