Open blockspacer opened 4 years ago
NOTE: existing option --verify=False
results in
ERROR: Manifest folder does not exist: ~/type_safe/False
Docs https://docs.conan.io/en/latest/reference/commands/creator/create.html for --verify
are not very descriptive
I propose to change --verify
to --verify_manifests
cause --verify
usually used for disabling SSL verification in command-line tools
NOTE: existing option --verify=False results in
--verify is related to verification of captured manifests.
I propose to change --verify to --verify_manifests cause --verify usually used for disabling SSL verification in command-line tools
This is not possible, because we would be breaking existing users. This change needs to wait to Conan 2.0 to consider. Please @czoido take note in the redesign of the command line. However, if following the current guidelines of the Conan 2.0 redesign, this would belong to the configuration, not to the command line (the command line specify the "what", the config specifies the "how").
I propose to add env var similar to
CONAN_REVISIONS_ENABLED=1
to disable SSL checks in
uploader_downloader.py
(self.verify = False
)
With 1.34.0 and self-signed certificate (corporate certs) had to patch self._verify_ssl = False
in ~/.local/lib/python3.8/site-packages/conans/client/downloaders/file_downloader.py
Is it possible to change self._verify_ssl
using ~/.conan/conan.conf
or command-line flags?
Have you tried setting the CONAN_CACERT_PATH
environment variable or cacert_path
in conan.conf
? It should be set to the CA bundle containing your corporate certificate. This works in our environment where the proxy uses a custom cert for SSL.
@sourcedelica
cat /usr/local/share/ca-certificates/MY_CORP_CERT.crt >> ~/.conan/cacert.pem
sudo curl http://my_corp/pki/MY_CORP_CERT.crt | sudo openssl x509 -inform DER -outform PEM -out MY_CORP_CERT_pem.crt
cat /usr/local/share/ca-certificates/MY_CORP_CERT_pem.crt >> ~/.conan/cacert.pem
didn't work (so i had to disable SSL). Maybe it is bug?
Note that MY_CORP_CERT.crt and MY_CORP_CERT_pem.crt are valid (without them other apps like Flatpak does not work)
Also issue related to https://github.com/conan-io/conan/issues/2460#issuecomment-364961479
I have the same issue. I replaced the contents of ~/.conan/cacert.pem
with the same contents of the custom cert bundled used for the REQUESTS_CA_BUNDLE
env var required for pip to install conan with a custom certificate in the first place (confirming CA BUNDLE is valid). I also tried using not only a cert bundle with updated roots, but also the server cert with the chain in the exact order (for strict SSL checking) and that didn't work either.
Disabling SSL was the only way to get it to work.
I have a similar issue.
When using a proxy by setting HTTP_PROXY
and HTTPS_PROXY
it is giving me the following error even if I set REQUESTS_CA_BUNDLE
.
HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))
Should I set other environment variable that points to the cert ?
Which Conan version @rafariossaa ?
It would also be good to know the OS, python version and python-requests
library version (with pip list
)
Hello,
I am using conan 1.21.1 with proxy (proxy uses self-signed certificate) and experienced an issue while I was trying to run
conan create
for https://github.com/bincrafters/conan-folly(long story short: please add
--verify-ssl=False
as a parameter of theconan install
andconan create
)NOTE: added self-signed certificate to the ~/.conan/cacert.pem file.
conan install does not have currently an option to disable the verification of the certificate. The download is performed using tools.download(). This utility has a parameter to enable/disable ssl checks.
NOTE: don't work either
including the ROOT (not a non-root ancestor) certificate in the Python requests package CA bundle, or create a new CA bundle that includes the root certificate and use the REQUESTS_CA_BUNDLE environment variable.
as in https://stackoverflow.com/a/56810796 and https://stackoverflow.com/a/46337779 and https://stackoverflow.com/a/42982144As temporary fix i edited /usr/local/lib/python3.6/dist-packages/conans/client/rest/uploader_downloader.py and manually changed
self.verify = False
I think a flag to disable ssl check would be a good solution in this use case. What do you think about it ? Is there currently another solution to perform the download from a server with a self-signed certificate ?
Related to https://github.com/conan-io/conan/issues/2460