curl -sSf https://rye.astral.sh/get | bash
# Pick `uv`, `Run a Python installed and managed by Rye', `default cython 3.12`, `yes add to .profile`
source .profile
python3
import urllib.request
urllib.request.open("https://google.com")
This works fine with the system Python 3.6. I did some debugging and I think it's because Rye uses its own OpenSSL which doesn't know where to find the certificates. I assume Red Hat (this is on RHEL) bakes the path into its OpenSSL.
Fixed with export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt but it would be good to not have to do that.
I previously looked up how Go does this and it's basically a hard-coded list (quality work there Linux guys). Maybe Rye could do the same so it's hassle-free? Basically look through all those directories to find one that exists, and then export SSL_CERT_FILE/DIR as appropriate (or even better write some OpenSSL config file to tell it a default to use; not sure if that is possible though).
(Also I realise /etc/ssl/certs/ca-bundle.crt isn't even on the list that Go uses. I have no idea what is going on there; I didn't set up this system.)
Expected Result
It works.
Actual Result
>>> import urllib.request
>>> urllib.request.urlopen("https://google.com")
Traceback (most recent call last):
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1344, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1336, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1382, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1331, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1091, in _send_output
self.send(msg)
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1035, in send
self.connect()
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1477, in connect
self.sock = self._context.wrap_socket(self.sock,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 455, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 1042, in _create
self.do_handshake()
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 1320, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 215, in urlopen
return opener.open(url, data, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 515, in open
response = self._open(req, data)
^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 532, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 492, in _call_chain
result = func(*args)
^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1392, in https_open
return self.do_open(http.client.HTTPSConnection, req,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1347, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>
Steps to Reproduce
This works fine with the system Python 3.6. I did some debugging and I think it's because Rye uses its own OpenSSL which doesn't know where to find the certificates. I assume Red Hat (this is on RHEL) bakes the path into its OpenSSL.
Fixed with
export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
but it would be good to not have to do that.I previously looked up how Go does this and it's basically a hard-coded list (quality work there Linux guys). Maybe Rye could do the same so it's hassle-free? Basically look through all those directories to find one that exists, and then
export SSL_CERT_FILE/DIR
as appropriate (or even better write some OpenSSL config file to tell it a default to use; not sure if that is possible though).(Also I realise
/etc/ssl/certs/ca-bundle.crt
isn't even on the list that Go uses. I have no idea what is going on there; I didn't set up this system.)Expected Result
It works.
Actual Result
Version Info
Stacktrace
No response