conan install https://... fails when proxy certificate is self-signed

[blockspacer]

Hello,

I am using conan 1.21.1 with proxy (proxy uses self-signed certificate) and experienced an issue while I was trying to run conan create for https://github.com/bincrafters/conan-folly

(long story short: please add --verify-ssl=False as a parameter of the conan install and conan create)

# NOTE: --verify=False and GIT_SSL_NO_VERIFY=true 
CONAN_REVISIONS_ENABLED=1 \
    CONAN_VERBOSE_TRACEBACK=1 \
    CONAN_PRINT_RUN_COMMANDS=1 \
    CONAN_LOGGING_LEVEL=10 \
    GIT_SSL_NO_VERIFY=true \
    conan create . conan/stable -s build_type=Debug --verify=False --profile default --build missing

# NOTE: i can download that file in browser https://github.com/google/double-conversion/archive/v3.1.4.tar.gz or via wget --no-check-certificate

requests.exceptions.SSLError: HTTPSConnectionPool(host='github.com', port=443): 
Max retries exceeded with url: 
/google/double-conversion/archive/v3.1.4.tar.gz 
(Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed (_ssl.c:852)'),))

NOTE: added self-signed certificate to the ~/.conan/cacert.pem file.

conan install does not have currently an option to disable the verification of the certificate. The download is performed using tools.download(). This utility has a parameter to enable/disable ssl checks.

def download(url, filename, verify=True, out=None, retry=2, retry_wait=5, overwrite=False,
             auth=None, headers=None)

NOTE: don't work either including the ROOT (not a non-root ancestor) certificate in the Python requests package CA bundle, or create a new CA bundle that includes the root certificate and use the REQUESTS_CA_BUNDLE environment variable. as in https://stackoverflow.com/a/56810796 and https://stackoverflow.com/a/46337779 and https://stackoverflow.com/a/42982144

As temporary fix i edited /usr/local/lib/python3.6/dist-packages/conans/client/rest/uploader_downloader.py and manually changed self.verify = False

I think a flag to disable ssl check would be a good solution in this use case. What do you think about it ? Is there currently another solution to perform the download from a server with a self-signed certificate ?

Related to https://github.com/conan-io/conan/issues/2460

[blockspacer]

NOTE: existing option --verify=False results in

ERROR: Manifest folder does not exist: ~/type_safe/False

Docs https://docs.conan.io/en/latest/reference/commands/creator/create.html for --verify are not very descriptive

I propose to change --verify to --verify_manifests cause --verify usually used for disabling SSL verification in command-line tools

[memsharded]

NOTE: existing option --verify=False results in

--verify is related to verification of captured manifests.

I propose to change --verify to --verify_manifests cause --verify usually used for disabling SSL verification in command-line tools

This is not possible, because we would be breaking existing users. This change needs to wait to Conan 2.0 to consider. Please @czoido take note in the redesign of the command line. However, if following the current guidelines of the Conan 2.0 redesign, this would belong to the configuration, not to the command line (the command line specify the "what", the config specifies the "how").

[blockspacer]

I propose to add env var similar to CONAN_REVISIONS_ENABLED=1 to disable SSL checks in uploader_downloader.py (self.verify = False)

[blockspacer]

With 1.34.0 and self-signed certificate (corporate certs) had to patch self._verify_ssl = False in ~/.local/lib/python3.8/site-packages/conans/client/downloaders/file_downloader.py

Is it possible to change self._verify_ssl using ~/.conan/conan.conf or command-line flags?

[sourcedelica]

Have you tried setting the CONAN_CACERT_PATH environment variable or cacert_path in conan.conf? It should be set to the CA bundle containing your corporate certificate. This works in our environment where the proxy uses a custom cert for SSL.

[blockspacer]

@sourcedelica

cat /usr/local/share/ca-certificates/MY_CORP_CERT.crt >> ~/.conan/cacert.pem
sudo curl http://my_corp/pki/MY_CORP_CERT.crt | sudo openssl x509 -inform DER -outform PEM -out MY_CORP_CERT_pem.crt
cat /usr/local/share/ca-certificates/MY_CORP_CERT_pem.crt >> ~/.conan/cacert.pem

didn't work (so i had to disable SSL). Maybe it is bug?

Note that MY_CORP_CERT.crt and MY_CORP_CERT_pem.crt are valid (without them other apps like Flatpak does not work)

Also issue related to https://github.com/conan-io/conan/issues/2460#issuecomment-364961479

[jgallucci32]

I have the same issue. I replaced the contents of ~/.conan/cacert.pem with the same contents of the custom cert bundled used for the REQUESTS_CA_BUNDLE env var required for pip to install conan with a custom certificate in the first place (confirming CA BUNDLE is valid). I also tried using not only a cert bundle with updated roots, but also the server cert with the chain in the exact order (for strict SSL checking) and that didn't work either.

Disabling SSL was the only way to get it to work.

[rafariossaa]

I have a similar issue. When using a proxy by setting HTTP_PROXY and HTTPS_PROXY it is giving me the following error even if I set REQUESTS_CA_BUNDLE.

HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))

Should I set other environment variable that points to the cert ?

[memsharded]

Which Conan version @rafariossaa ? It would also be good to know the OS, python version and python-requests library version (with pip list)