Python SSL broken by openssl port from here

[Tatsh]

Python (according to its ssl module) has the path set to a nonexistent path:

/opt/local/etc/openssl-1.1/cert.pem

This can be checked with the following code:

import _ssl
print(_ssl.get_default_verify_paths())

The path for me is /opt/local/etc/openssl/cert.pem (which is a symlink to curl-ca-bundle's).

This can be worked around by setting the SSL_CERT_FILE environment variable to the correct path.

From the shell (abridged):

>>> from urllib.request import urlopen
>>> urlopen('https://google.com')

Traceback (most recent call last):
...
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py", line 1319, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>

Your port should either make a symlink to curl-ca-bundle's at that location or it should install OpenSSL /etc/ files to /opt/local/etc/openssl/ as the main tree port does.

$ ls -la /opt/local/etc/openssl/cert.pem
lrwxr-xr-x 1 root admin 40 2019-09-28 04:54:00 /opt/local/etc/openssl/cert.pem -> /opt/local/share/curl/curl-ca-bundle.crt

[RJVB]

Your port should either make a symlink to curl-ca-bundle's at that location or it should install OpenSSL /etc/ files to /opt/local/etc/openssl/ as the main tree port does.

Thanks for reporting! Do you have an idea if there's any reason to keep a $prefix/etc/openssl-1.1 version-specific directory?

[Tatsh]

I can't see one as OpenSSL is not a multi-version port.

[RJVB]

I can't see one as OpenSSL is not a multi-version port.

It is in a sense as there is still an openssl-1.0 port which I think is required by some ports.

[Tatsh]

I am not sure if this is resolved but it looks like it is, as I only have /opt/local/etc/openssl now and without setting SSL_CERT_FILE environment variable, things still work. Closing.