search

astral-sh / rye

a Hassle-Free Python Experience
https://rye.astral.sh
MIT License
13.6k stars 466 forks source link

certificate verify failed: unable to get local issuer certificate #1314

Open Timmmm opened 1 month ago

Timmmm commented 1 month ago

Steps to Reproduce

curl -sSf https://rye.astral.sh/get | bash
# Pick `uv`, `Run a Python installed and managed by Rye', `default cython 3.12`, `yes add to .profile`

source .profile

python3

import urllib.request
urllib.request.open("https://google.com")

This works fine with the system Python 3.6. I did some debugging and I think it's because Rye uses its own OpenSSL which doesn't know where to find the certificates. I assume Red Hat (this is on RHEL) bakes the path into its OpenSSL.

Fixed with export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt but it would be good to not have to do that.

I previously looked up how Go does this and it's basically a hard-coded list (quality work there Linux guys). Maybe Rye could do the same so it's hassle-free? Basically look through all those directories to find one that exists, and then export SSL_CERT_FILE/DIR as appropriate (or even better write some OpenSSL config file to tell it a default to use; not sure if that is possible though).

(Also I realise /etc/ssl/certs/ca-bundle.crt isn't even on the list that Go uses. I have no idea what is going on there; I didn't set up this system.)

Expected Result

It works.

Actual Result

>>> import urllib.request
>>> urllib.request.urlopen("https://google.com")
Traceback (most recent call last):
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1344, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1336, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1382, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1331, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1091, in _send_output
    self.send(msg)
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1035, in send
    self.connect()
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/http/client.py", line 1477, in connect
    self.sock = self._context.wrap_socket(self.sock,
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 1042, in _create
    self.do_handshake()
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/ssl.py", line 1320, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 215, in urlopen
    return opener.open(url, data, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 515, in open
    response = self._open(req, data)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 532, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 492, in _call_chain
    result = func(*args)
             ^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1392, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/me/.rye/py/cpython@3.12.4/lib/python3.12/urllib/request.py", line 1347, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)>

Version Info

rye 0.38.0
commit: 0.38.0 (3e3c8540f 2024-08-02)
platform: linux (x86_64)
self-python: cpython@3.12.4
symlink support: true
uv enabled: true

Stacktrace

No response

Turakar commented 2 weeks ago

I am running into the same issue. The workaround works for me as well. I have this issue on an enterprise linux 8.10.