search

astral-sh / uv

An extremely fast Python package and project manager, written in Rust.
https://docs.astral.sh/uv
Apache License 2.0
26.8k stars 778 forks source link

Again problems with the --native-tls flag or SSL_CERT_FILE #9243

Open andreamoro opened 3 hours ago

andreamoro commented 3 hours ago

After a small period of joy, again today I'm experiencing problems in using the uv pip install. Whether using the --native-tls or setting the SSL_CERT_FILE, both the approach resolve in a "Failed to tech error".

image

When it comes to the SSL_CERT_FILE, read-only permissions on the file were given. Not sure this would be making any difference at this stage.

UV version tried, both the 0.4.28 and the 0.5.2

Would someone so kind to provide some debugging steps?

zanieb commented 3 hours ago

Can you share verbose logs? You can also use RUST_LOG=debug to get logs from the networking stack, it'll be very verbose.

andreamoro commented 2 hours ago 
DEBUG uv 0.5.2 (Homebrew 2024-11-14)
DEBUG Searching for default Python interpreter in virtual environments
DEBUG Found `cpython-3.12.1-macos-aarch64-none` at `/Users/andreamoro/.pyenv/versions/3.12.1/envs/DataAnalysis/bin/python3` (active virtual environment)
Using Python 3.12.1 environment at .pyenv/versions/3.12.1/envs/DataAnalysis
DEBUG Acquired lock for `.pyenv/versions/3.12.1/envs/DataAnalysis`
DEBUG At least one requirement is not satisfied: seaborn
DEBUG Using request timeout of 30s
DEBUG Solving with installed Python version: 3.12.1
DEBUG Solving with target Python version: >=3.12.1
DEBUG Adding direct dependency: seaborn*
DEBUG No cache entry for: https://pypi.org/simple/seaborn/
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
DEBUG Released lock at `/Users/andreamoro/.pyenv/versions/3.12.1/envs/DataAnalysis/.lock`
error: Failed to fetch: `https://pypi.org/simple/seaborn/`
  Caused by: Request failed after 3 retries
  Caused by: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
andreamoro commented 2 hours ago

Or with the rust_log enabled

❯ uv pip install --native-tls seaborn --verbose
DEBUG uv 0.5.2 (Homebrew 2024-11-14)
DEBUG Searching for default Python interpreter in virtual environments
DEBUG Found `cpython-3.12.1-macos-aarch64-none` at `/Users/andreamoro/.pyenv/versions/3.12.1/envs/DataAnalysis/bin/python3` (active virtual environment)
Using Python 3.12.1 environment at .pyenv/versions/3.12.1/envs/DataAnalysis
DEBUG Acquired lock for `.pyenv/versions/3.12.1/envs/DataAnalysis`
DEBUG At least one requirement is not satisfied: seaborn
DEBUG Using request timeout of 30s
DEBUG Solving with installed Python version: 3.12.1
DEBUG Solving with target Python version: >=3.12.1
DEBUG Adding direct dependency: seaborn*
INFO add_decision: root @ 0a0.dev0 without checking dependencies
DEBUG No cache entry for: https://pypi.org/simple/seaborn/
DEBUG starting new connection: https://pypi.org/
DEBUG connecting to 151.101.192.223:443
DEBUG connected to 151.101.192.223:443
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
WARN Retry attempt #0. Sleeping 425.833483ms before the next attempt
DEBUG starting new connection: https://pypi.org/
DEBUG connecting to 151.101.192.223:443
DEBUG connected to 151.101.192.223:443
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
WARN Retry attempt #1. Sleeping 1.954031005s before the next attempt
DEBUG starting new connection: https://pypi.org/
DEBUG connecting to 151.101.192.223:443
DEBUG connected to 151.101.192.223:443
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
WARN Retry attempt #2. Sleeping 1.038860859s before the next attempt
DEBUG starting new connection: https://pypi.org/
DEBUG connecting to 151.101.192.223:443
DEBUG connected to 151.101.192.223:443
DEBUG Transient request failure for https://pypi.org/simple/seaborn/, retrying: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
DEBUG Released lock at `/Users/andreamoro/.pyenv/versions/3.12.1/envs/DataAnalysis/.lock`
error: Failed to fetch: `https://pypi.org/simple/seaborn/`
  Caused by: Request failed after 3 retries
  Caused by: error sending request for url (https://pypi.org/simple/seaborn/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer

It looks like he doesn't like the certificate, but it's the same I used the other time I was able to get it through... generated from the system settings.

zanieb commented 2 hours ago

Thanks! Yeah I'm not sure what to tell you here, it looks like the certificate is wrong — this usually has nothing to do with uv's implementation. You can get more logs with RUST_LOG=trace but I doubt it'll show anything interesting. Does the cert work with other tools?

andreamoro commented 2 hours ago

Yes it does :( But why the --native-tls is not going to work anymore? That one should look at the system settings, no?

zanieb commented 2 hours ago

The behavior of that flag should not have changed, I'm assuming this stopped working without you changing your uv version? What kind of proxy are you using? Who runs it? How do you know the cert is up to date?

andreamoro commented 2 hours ago

Update uv today after this was failing. Company is using Zscaler. Cert was verified against the Keychain file ... and just in case I made a new bundle seconds ago just to confirm this was updated, but yet not joy.

In any case I validated the .pem file using the openssl x509 -in "/Documents/ZscalerCertificate.pem" -text -noout command with success.

zanieb commented 2 hours ago

But you said this also fails on an old version of uv? What was the last working version?