BlueDogRanch's questions

Python Django 错误：

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
unable to get local issuer certificate (_ssl.c:1131)>

异常位置：/usr/lib/python3.8/urllib/request.py，第 1357 行，在 do_open

运行：Python 3.8.10、Django 4.0.3、Ubuntu 20.04、Apache 2

我正在将 Django 用于一个简单的联系表单应用程序，该应用程序目前可以正常工作并且不会引发错误。当我使用此 Django 库https://github.com/tiesjan/django-hcaptcha-field将 hCaptcha 添加到表单时，会发生 CERTIFICATE_VERIFY_FAILED 错误。

问题似乎与 django-hcaptcha-field 无关；访问 hCaptcha API 时，它似乎是 Ubuntu 和 SSL 证书。

我已经查看了关于 SO 的多个问题（尤其是https://stackoverflow.com/questions/27835619/urllib-and-ssl-certificate-verify-failed-error，即使它是针对 OS X 的）并询问 Ubuntu证书问题.

我已经尝试了所有这些“修复”：

pip install pyOpenSSL --upgrade
apt-get install --reinstall python3-certifi
pip install --upgrade certifi --force
apt install --reinstall openssl
apt install ca-certificates
update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs

我“强制”更新了我的 Let's Encrypt SSL。

我尝试了更新的证书：

wget --quiet https://curl.haxx.se/ca/cacert.pem
export SSL_CERT_FILE=$HOME/cacert.pem

我的 Python 代码中没有任何内容需要import ssl

我还能尝试什么？

诊断输出：

dpkg -l | grep cert返回

ica-certificates    20210119~20.04.2    all    Common CA certificates
certbot    0.40.0-1ubuntu0.1    all    automatically configure HTTPS using Let's Encrypt
dirmngr    2.2.19-3ubuntu2.1    amd64    GNU privacy guard - network certificate management service
python-certbot-apache    0.36.0-1    all    transitional dummy package
python3-certbot    0.40.0-1ubuntu0.1    all   main library for certbot
python3-certbot-apache   0.39.0-1    all    Apache plugin for Certbot
ipython3-certifi    2019.11.28-1    all    root certificates for validating SSL certs and verifying TLS hosts (python3)
ssl-cert    1.0.39    all    simple debconf wrapper for OpenSSL

dpkg -l | grep openssl返回

libxmlsec1-openssl:amd64    1.2.28-2    amd64        Openssl engine for the XML security library
openssl    1.1.1f-1ubuntu2.12    amd64        Secure Sockets Layer toolkit - cryptographic utility
perl-openssl-defaults:amd64    4    amd64        version compatibility baseline for Perl OpenSSL packages
python3-openssl    19.0.0-1build1    all          Python 3 wrapper around the OpenSSL library

whereis openssl返回

openssl: /usr/bin/openssl /usr/local/bin/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz

which openssl /usr/bin/openssl返回

/usr/local/bin/openssl
/usr/bin/openssl

ldd $(which wget)返回

linux-vdso.so.1 (0x00007ffd9f10f000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007efdb3e3d000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007efdb3e34000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007efdb3e12000)
libssl.so.1.1 => /usr/local/lib/libssl.so.1.1 (0x00007efdb3d7a000)
libcrypto.so.1.1 => /usr/local/lib/libcrypto.so.1.1 (0x00007efdb3a8e000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007efdb3a72000)
libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (0x00007efdb3a5d000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efdb386b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007efdb3848000)
/lib64/ld-linux-x86-64.so.2 (0x00007efdb3f6b000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007efdb36c6000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007efdb36c0000)

dpkg -l | grep python3-certifi返回

python3-certifi    2019.11.28-1    all  root certificates for validating SSL certs and verifying TLS hosts (python3)

追溯：

Request Method: POST
Request URL: https://example.com/contact/contact/contact/

Django Version: 4.0.3
Python Version: 3.8.10
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'contactform.apps.ContactformConfig',
 'encrypted_files',
 'hcaptcha_field']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback (most recent call last):
  File "/usr/lib/python3.8/urllib/request.py", line 1354, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/lib/python3.8/http/client.py", line 1256, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.8/http/client.py", line 1302, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.8/http/client.py", line 1251, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.8/http/client.py", line 1011, in _send_output
    self.send(msg)
  File "/usr/lib/python3.8/http/client.py", line 951, in send
    self.connect()
  File "/usr/lib/python3.8/http/client.py", line 1425, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()

During handling of the above exception ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)), another exception occurred:
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/var/www/html/example.com/public_html/contact/contactform/views.py", line 26, in contact
    if form.is_valid():
  File "/usr/local/lib/python3.8/dist-packages/django/forms/forms.py", line 205, in is_valid
    return self.is_bound and not self.errors
  File "/usr/local/lib/python3.8/dist-packages/django/forms/forms.py", line 200, in errors
    self.full_clean()
  File "/usr/local/lib/python3.8/dist-packages/django/forms/forms.py", line 433, in full_clean
    self._clean_fields()
  File "/usr/local/lib/python3.8/dist-packages/django/forms/forms.py", line 445, in _clean_fields
    value = field.clean(value)
  File "/usr/local/lib/python3.8/dist-packages/django/forms/fields.py", line 199, in clean
    self.validate(value)
  File "/usr/local/lib/python3.8/dist-packages/hcaptcha_field/fields.py", line 129, in validate
    response = opener.open(request, timeout=hcaptcha_settings.TIMEOUT)
  File "/usr/lib/python3.8/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/lib/python3.8/urllib/request.py", line 542, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 1397, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/lib/python3.8/urllib/request.py", line 1357, in do_open
    raise URLError(err)

Exception Type: URLError at /contact/contact/
Exception Value: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>

https://github.com/tiesjan/django-hcaptcha-field的 hcaptcha_field 的 fields.py

import json
import logging
import ssl # added #############
import certifi # added #############
from urllib.error import HTTPError
from urllib.parse import urlencode
from urllib.request import build_opener, Request, ProxyHandler

from django import forms
from django.core.exceptions import ValidationError
from django.utils.translation import gettext_lazy as _

from hcaptcha_field.settings import hcaptcha_settings
from hcaptcha_field.widgets import hCaptchaWidget


LOGGER = logging.getLogger('hcaptcha_field')


DATA_ATTRIBUTE_CONFIG = frozenset([
    'theme',
    'size',
    'tabindex',
    'callback',
    'expired-callback',
    'chalexpired-callback',
    'open-callback',
    'close-callback',
    'error-callback',
])


QUERY_PARAMETER_CONFIG = frozenset([
    'onload',
    'render',
    'hl',
    'recaptchacompat'
])


class hCaptchaField(forms.Field):
    widget = hCaptchaWidget
    default_error_messages = {
        'error_hcaptcha': _(
            # Translators: Error shown when an internal server error occurred.
            'Something went wrong while verifying the hCaptcha. '
            'Please try again.'
        ),
        'invalid_hcaptcha': _(
            # Translators: Error shown when visitor did not pass the hCaptcha check.
            'hCaptcha could not be verified.'
        ),
        'required': _(
            # Translators: Error shown when visitor forgot to fill in the hCaptcha.
            'Please prove you are human.'
        ),
    }

    def __init__(self, sitekey=None, **kwargs):
        """
        Initializer for `hCaptchaField` class. It determines data attributes
        for the widget class and constructs a widget if none is given. This
        constructed widget receives the URL of the JavaScript resource for the
        hCaptcha integration and the `sitekey` of the site to protect.
        """
        # Retrieve settings
        DEFAULT_CONFIG = hcaptcha_settings.DEFAULT_CONFIG
        JS_API_URL = hcaptcha_settings.JS_API_URL
        SITEKEY = hcaptcha_settings.SITEKEY

        # Determine widget data attributes
        self.widget_data_attrs = {}
        for setting in DATA_ATTRIBUTE_CONFIG:
            if setting in kwargs:
                self.widget_data_attrs[setting] = kwargs.pop(setting)
            elif setting in DEFAULT_CONFIG:
                self.widget_data_attrs[setting] = DEFAULT_CONFIG[setting]

        # If the `widget` argument is not given, instantiate `self.widget` with
        # the hCaptcha API url and the sitekey
        if 'widget' not in kwargs:
            # Determine hCaptcha API url
            query_params = {}
            for setting in QUERY_PARAMETER_CONFIG:
                if setting in kwargs:
                    query_params[setting] = kwargs.pop(setting)
                elif setting in DEFAULT_CONFIG:
                    query_params[setting] = DEFAULT_CONFIG[setting]
            if query_params:
                js_api_url = '%s?%s' % (JS_API_URL, urlencode(query_params))
            else:
                js_api_url = JS_API_URL

            # Determine hCaptcha sitekey
            self.sitekey = sitekey or SITEKEY

            # Instantiate widget
            kwargs['widget'] = self.widget(
                    js_api_url=js_api_url, sitekey=self.sitekey)

        super().__init__(**kwargs)

    def widget_attrs(self, widget):
        """
        Returns the widget attributes, including all the data attributes
        determined in the initializer.
        """
        attrs = super().widget_attrs(widget)
        for key, value in self.widget_data_attrs.items():
            attrs['data-%s' % key] = value
        return attrs

    def validate(self, value):
        """
        Validates the field by verifying the value of the hidden field
        `h-captcha-response` with their API endpoint.
        """
        super().validate(value)

        # Build request
        opener = build_opener(ProxyHandler(hcaptcha_settings.PROXIES))
        post_data = urlencode({
            'secret': hcaptcha_settings.SECRET,
            'response': value,
            'sitekey': self.sitekey,
        }).encode('utf-8')
        request = Request(hcaptcha_settings.VERIFY_URL, post_data)

        # Perform request
        try:
            context=ssl.create_default_context(cafile=certifi.where()) # added ############
            response = opener.open(request, timeout=hcaptcha_settings.TIMEOUT)
        except HTTPError:
            LOGGER.exception("Failed to verify response with hCaptcha API.")
            raise ValidationError(
                self.error_messages['error_hcaptcha'],
                code='error_hcaptcha'
            )

        # Check response
        response_data = json.loads(response.read().decode('utf-8'))
        if not response_data.get('success'):
            LOGGER.error("Failed to pass hCaptcha check: %s", response_data)
            raise ValidationError(
                self.error_messages['invalid_hcaptcha'],
                code='invalid_hcaptcha'
            )

我在 Linode 服务器和 OpenLiteSpeed 上运行 Ubuntu 20.04.1 LTS openlitespeed.org。

我在浏览器中遇到两个 OpenLiteSpeed 管理和配置页面的example.com:8088超时。example.com:7080

但是当通过 SSH 登录时，运行 curl 127.0.0.1 会在根目录下给我 index.html 文件的文本，并 curl http://localhost:8088 给我 OpenLiteSpeed 管理页面的 html 转储。

从另一台主机，运行curl 123.45.67.123工作。

直接访问站点/服务器 IP123.45.67.123有效。

从另一台主机，运行curl example 不会返回任何东西。

在浏览器中进入example.com工作并向我显示 index.html 页面。

平example.com工作。

但我无法连接到浏览器example.com:8088或example.com:7080在浏览器中。

Apache 正在运行，但尚未将 OpenLiteSpeed 配置为使用端口 80，因为我无法访问管理页面。

ufw状态显示：

65500                ALLOW        Anywhere                 
443                    ALLOW        Anywhere                 
443/tcp                ALLOW        Anywhere                 
7080/tcp            ALLOW        Anywhere                 
8088/tcp            ALLOW        Anywhere                 
OpenSSH        ALLOW        Anywhere                 
80/tcp                ALLOW        Anywhere                 
65500 (v6)        ALLOW        Anywhere (v6)            
443 (v6)            ALLOW        Anywhere (v6)            
443/tcp (v6)        ALLOW        Anywhere (v6)            
7080/tcp (v6)    ALLOW        Anywhere (v6)            
8088/tcp (v6)    ALLOW        Anywhere (v6)            
OpenSSH (v6)    ALLOW        Anywhere (v6)            
80/tcp (v6)        ALLOW        Anywhere (v6)

完全禁用 ufw 对问题没有影响。

有任何想法吗？

2020 年 10 月 25 日编辑：

编辑 2020 年 10 月 26 日

这在我的本地 Mac上工作ufw，服务器上的端口 7080 被拒绝，并打开了 OLS 管理页面：

ssh -L 7080:123.45.67.123:7080 [email protected]

重要提示：我使用的是 CloudFlare，这是问题的一部分。CloudFlare 阻止端口 7080（以及其他端口；请参阅https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy）。因此，为了使用 localhost 隧道作为 Carles Mateo 的答案，您需要将 OpenLiteSpeed 的管理端口更改为 /usr/local 中允许的 CloudFlare 端口（如 8443）/lsws/admin/conf/admin_config.conf，然后重新启动 OpenLiteSpeed。并且还要在 CloudFlare 禁用任何 SSL，至少在您配置不会引发安全错误的 SSL 之前。

总的来说，我在使用 CloudFlare 时保护 OpenLiteSpeed 管理页面免受脚本小子等攻击的解决方案是更改并使用端口 8443 来配置 OLS 设置，然后通过 SSH 将该端口更改回 7080，默认情况下被阻止CloudFlare。

在 Ubuntu 19 上，我正在使用这个脚本GitHub - Block countries using iptables + ipset + ipdeny.com。

我已经安装了它，并且为了测试我已经将它配置为获取两个 IP 列表，当我从 shell 运行它时，我在/var/log/ipset-country.log.

当我尝试列出使用阻止的 IP 范围时

iptables -L INPUT -v -n

我懂了

Chain INPUT (policy DROP 59 packets, 2873 bytes)
pkts bytes target     prot opt in     out     source               destination         
407K  137M ufw-before-logging-input  all  --  *   *    0.0.0.0/0            0.0.0.0/0           
407K  137M ufw-before-input  all  --  *      *    0.0.0.0/0            0.0.0.0/0           
33086 1783K ufw-after-input  all  --  *      *    0.0.0.0/0            0.0.0.0/0           
32577 1759K ufw-after-logging-input  all  --  *    *    0.0.0.0/0            0.0.0.0/0           
32577 1759K ufw-reject-input  all  --  *      *     0.0.0.0/0            0.0.0.0/0           
0     0 LOGIPS     tcp  --  *    *   0.0.0.0/0   0.0.0.0/0   match-set ipv4-falkland_islands src
0     0 LOGIPS     tcp  --  *    *   0.0.0.0/0   0.0.0.0/0   match-set ipv4-ethiopia src
32577 1759K ufw-track-input  all  --  *    *     0.0.0.0/0            0.0.0.0/0 

这似乎没有显示两个 ipv4 IP 集的 IP 范围；相反，我看到了0.0.0.0/0。

如何确定这两个 IP 列表是否正确导入？

如何列出当前被阻止的 IP 范围？

我正在尝试使用 scp 在机器之间复制目录。我以 ubuntu 身份登录到目标框 10.10.10.98。（IP 不是真实的）。我想my-theme从另一个盒子 10.10.10.99 复制主题目录。我可以在另一个终端（OS X）窗口中以 ubuntu OK 身份登录 10.10.10.99。Devops 为两个盒子设置了相同的 AWS PEM 密钥。

但是当我跑步时

scp -r [email protected]:/var/www/html/prod/wp-content/themes/my-theme /var/www/html/wp-content/themes/my-theme

它挂起，没有错误或进展。我需要指定 pem 密钥吗？有任何想法吗？

如何使用chown -R但排除一两个文件？

我需要定期运行

sudo chown -R www-data:www-data *

和

sudo chown -R ubuntu:ubuntu *

但我想从这些命令中排除一两个文件，以免更改这些排除文件的权限。

我怎样才能排除file1.php，或两者file2.txt兼而有之file3.php？

这里有很多类似的问题，我已经按照几个答案尝试解决这个问题，但没有运气。

我在 AWS 的 EC2 实例上使用 Ubuntu 14.04.5 LTS。我在 /var/www/html/folder 中使用 WordPress。我在 SSH 和 SFTP 上都以用户 ubuntu 的身份登录。

/var/www/html/folder 中的所有文件和文件夹都是组所有者 ubuntu，我需要将所有这些更改为 WordPress 的 apache 用户 www-data。

首先，我将 ubuntu 用户添加到 www-data：

sudo usermod -a -G www-data ubuntu

我注销并登录，因此使用

getent group节目www-data:x:33:ubuntu

然后，我将 /var/www/html/folder 中的所有文件/文件夹从默认的 ubuntu 更改为 www-data 组和所有者

sudo chown -R www-data /var/www/html/folder/

sudo chgrp -R www-data /var/www/html/folder/

sudo chmod -R g+s /var/www/html/folder/

并启用所有新文件/文件夹在 www-data 中

sudo chmod 2750 /var/www/html/folder/

WordPress 现在可以读/写，所以我可以从 WP 管理员添加插件和媒体。我可以使用 nano 将 SSH 上的文件编辑为 ubuntu。

问题是我仍然无法以 ubuntu 用户身份使用 SFTP 上传、删除或编辑文件/文件夹。

我需要做什么？