Closed andy-maier closed 3 months ago
I'm also able to reproduce this behavior in a self-hosted environment.
@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST
env variable) to bump pip and avoid this error
- uses: actions/setup-python@v5
with:
python-version: 3.5
env:
PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi
Hello @andy-maier, Thank you for creating this issue and we will look into it :)
The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST
work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:
--trusted-host <hostname>
Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.
(environment variable: PIP_TRUSTED_HOST)
Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.
@joamag Hello João. Thank you very much for this workaround!! I can confirm that it works for us.
Hello everyone 👋, This issue seems to be related to the inability of older versions of Python and pip to verify the SSL certificate provided by PyPI servers, likely due to recent updates in PyPI's SSL setup. Notably, Python 3.5 has reached its end of life and may not be able to verify the new certificate due to compatibility issues. However, please note that this problem doesn't directly fall within the scope of the 'actions/setup-python' repository, as it's more related to Python's interaction with PyPI, not the setup process itself. A potential solution could be to upgrade to a newer versions of Python. If upgrading Python isn't feasible, please consider implementing the below workaround as suggested by @joamag .
- uses: actions/setup-python@v5
with:
python-version: 3.5
env:
PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
If you have any concerns feel free to ping us. Thank you for your understanding and cooperation:)
Since the point of the action is to install various versions of Python, end-of-life or not, you need to apply this workaround for the affected versions within the action itself.
I agree, but adding these environment variables effectively ignores any SSL error, including MITM certificate mismatches.
I feel like a INSECURE_EOL_VERSION_OK: 1
(or similar) would be a better environment variable, explicitly acknowledging that EOL versions with security incompatibilities will be vulnerable to attacks, and that developers are okay with that (or have other security mitigations)
Thank you for your suggestions. Unfortunately, it's not feasible for us to incorporate the proposed changes directly into the setup-python
action. For users operating with EOL Python versions
, we kindly recommend implementing the proposed workaround within your respective workflows. For optimal security, please consider upgrading to a supported Python version.
@andy-maier👋, as the issue appears to have been resolved with the suggested workaround, we are proceeding with closing the issue and appreciate your understanding and cooperation:)
Please feel free to reach us out incase of any other concerns.
Description:
Python 3.5 setup fails with an invalid certificate when running pip.
This started happening a few days ago. 7 days ago it still worked.
From a today's run where it failed: https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/9076784995/job/24940262974
Action version:
v5
Platform:
Runner type:
Tools version:
Python 3.5
Repro steps:
To reproduce, use the setup-python action with Python 3.5.
Expected behavior:
Python 3.5 should be installed as it was 1 week ago.
Actual behavior:
See description, above.