Closed playgithub closed 4 months ago
Getting this also, sounds like their certificate has expired! Get #LetsEncrypt on it :laughing:
I am getting this as well 😕
Same here.
Same here. For a temporary fix ssl verification can be disabled in the remotes settings at ~/.conan/remotes.json
Hi,
This seems to be due to Let's encrypt root authority server shutdown on September 30th : (cf https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/#:~:text=From%20Sept%2030th%202021%20Let's,the%20ones%20for%20your%20website.)
I fixed it by adding their new root authority ISRG Root X1 certificate in ~/.conan/cacert.pem
.
Edit: ISRG Root X1 certificate can be downloaded from Let's encrypt website : https://letsencrypt.org/certificates/
Thanks, @haroal. The pem to be appended is at: https://letsencrypt.org/certs/isrgrootx1.pem We are releasing 1.40.3 ASAP containing that root certificate.
I'll keep this open so it is more visible.
For any other previous version older than 1.40.3, the new certificate can be installed with:
$ conan config install https://github.com/conan-io/conanclientcert.git
ETA for the release 1.40.3 ?
minutes
while true; do pip3 install conan==1.40.3 && break; done
If you want your PC to tell you conan 1.40.3 is released:
WSL:
while true; do pip3 install conan==1.40.3 && powershell.exe '[console]::beep(500,10000)' && break; done
old Linux:
while true; do pip3 install conan==1.40.3 && eval 'speaker-test -Dplug:front -c2' && break; done
For any other previous version older than 1.40.3, the new certificate can be installed with:
$ conan config install https://github.com/conan-io/conanclientcert.git
Does this mean every version of conan older than 1.40.3 is broken now unless people take this additional manual step of installing the certificate?
Shouldn't conan rely on system installed certs in addition to their own ones?
Shouldn't conan rely on system installed certs in addition to their own ones?
System installed ones were really problematic in some systems (OSX) and also with older Python versions (2.7), so they couldn't be used at the time, and had to be replaced to keep moving. It has been working without issues till today, but certainly this will be fixed in next releases.
Does this mean every version of conan older than 1.40.3 is broken now unless people take this additional manual step of installing the certificate?
Yes. Many teams that already manage their configuration with conan config install
(very recommended) will fix it simply by adding it to their config, no extra steps. But it doesn't seem feasible to backport to 40 previous Conan releases, that is a huge amount of work (and also requires upgrading clients)
Congrats to the release!
Successfully installed conan-1.40.3
When can we expect the release on conda?
@anders-wind We don't manage the Conan client available in Conda, but I'll take a look.
Ahh okay - thanks!
@anders-wind I just opened a PR to Conda feedstock: https://github.com/conda-forge/conan-feedstock/pull/143
UPDATE:
They have a bot, which opened a new PR too: https://github.com/conda-forge/conan-feedstock/pull/144
I'll close mine.
pip has 1.40.3 now. chocolatey is still waiting on 1.40.2 https://community.chocolatey.org/packages/conan#versionhistory
For any other previous version older than 1.40.3, the new certificate can be installed with:
$ conan config install https://github.com/conan-io/conanclientcert.git
I am still facing issue on docker container.
I tried upgrading conan to 1.40.3 and also tried above command for certificate
@Prasaddiwalkar please post here the command you run and the error traces to see if we can guess something.
@Prasaddiwalkar please post here the command you run and the error traces to see if we can guess something.
conan@9a54bf478845:~$ conan --version
Conan version 1.40.3
conan remote list
conancenter: https://center.conan.io [Verify SSL: True]
conan install zlib/1.2.11@
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=gcc
compiler.libcxx=libstdc++
compiler.version=4.8
os=Linux
os_build=Linux
[options]
[build_requires]
[env]
zlib/1.2.11: Not found in local cache, looking in remotes...
zlib/1.2.11: Trying with 'conancenter'...
ERROR: HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:847)'),))
Unable to connect to conancenter=https://center.conan.io
1. Make sure the remote is reachable or,
2. Disable it by using conan remote disable,
Then try again.
Shooting in the dark here but could it be your version of OpenSSL?
What Python and OpenSSL versions are you running?
Apparently old OpenSSL versions will cause headaches: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
Shooting in the dark here but could it be your version of OpenSSL?
What Python and OpenSSL versions are you running?
Apparently old OpenSSL versions will cause headaches: https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
conan@9a54bf478845:~$ openssl version OpenSSL 1.0.1f 6 Jan 2014
conan@9a54bf478845:~$ python --version Python 3.6.7
@Prasaddiwalkar please post here the command you run and the error traces to see if we can guess something.
conan@9a54bf478845:~$ conan --version Conan version 1.40.3 conan remote list conancenter: https://center.conan.io [Verify SSL: True] conan install zlib/1.2.11@ Configuration: [settings] arch=x86_64 arch_build=x86_64 build_type=Release compiler=gcc compiler.libcxx=libstdc++ compiler.version=4.8 os=Linux os_build=Linux [options] [build_requires] [env] zlib/1.2.11: Not found in local cache, looking in remotes... zlib/1.2.11: Trying with 'conancenter'... ERROR: HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:847)'),)) Unable to connect to conancenter=https://center.conan.io 1. Make sure the remote is reachable or, 2. Disable it by using conan remote disable, Then try again.
@lasote can you please help. My entire pipeline is stuck
conan@9a54bf478845:~$ openssl version OpenSSL 1.0.1f 6 Jan 2014
That one is to old - have no security patches and won't work with new let's encrypt certificates. Consider upgrading.
conan@9a54bf478845:~$ openssl version OpenSSL 1.0.1f 6 Jan 2014
That one is to old - have no security patches and won't work with new let's encrypt certificates. Consider upgrading.
It was working till yesterday
Thanks for the quick patch. If a user's still having problems with their LetsEncrypt certs even when using Conan 1.40.3 or newer and OpenSSL 1.0.2 or newer, they could try renewing their LetsEncrypt cert as well. In my case the LetsEncrypt cert expiring end of October still had the old CA and wouldn't work.
When can we expect the release on conda?
I see that the dependencies were changed in Conan 1.40. This is solved with conda-forge/conan-feedstock#146
@anders-wind, @uilianries
For your information, a homebrew formula is just merged.
Something is still wrong with the deb distribution:
root@ci:~# dpkg -i conan-ubuntu-64.deb
Selecting previously unselected package conan.
(Reading database ... 117219 files and directories currently installed.)
Preparing to unpack conan-ubuntu-64.deb ...
Unpacking conan (1.40.3) ...
Setting up conan (1.40.3) ...
root@ci:~# conan --version
Conan version 1.40.3
root@ci:~# conan search -r=conancenter jsoncpp/*
ERROR: HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Unable to connect to conancenter=https://center.conan.io
1. Make sure the remote is reachable or,
2. Disable it by using conan remote disable,
Then try again.
I also tried to install manually the certificates:
root@ci:~# conan config install https://github.com/conan-io/conanclientcert.git
Trying to clone repo: https://github.com/conan-io/conanclientcert.git
Repo cloned!
Copying file LICENSE to /root/.conan/.
Copying file cacert.pem to /root/.conan/.
root@ci:~# conan search -r=conancenter jsoncpp/*
ERROR: HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Unable to connect to conancenter=https://center.conan.io
1. Make sure the remote is reachable or,
2. Disable it by using conan remote disable,
Then try again.
Can anybody take a look? Our pipelines are stuck.
@bbossola thanks for reporting. Verified and created a new issue specifically to track this: https://github.com/conan-io/conan/issues/9714
@Prasaddiwalkar please post here the command you run and the error traces to see if we can guess something.
@lasote I am using conanio/gcc48 docker image for build.
@Prasaddiwalkar please post here the command you run and the error traces to see if we can guess something.
conan@9a54bf478845:~$ conan --version Conan version 1.40.3 conan remote list conancenter: https://center.conan.io [Verify SSL: True] conan install zlib/1.2.11@ Configuration: [settings] arch=x86_64 arch_build=x86_64 build_type=Release compiler=gcc compiler.libcxx=libstdc++ compiler.version=4.8 os=Linux os_build=Linux [options] [build_requires] [env] zlib/1.2.11: Not found in local cache, looking in remotes... zlib/1.2.11: Trying with 'conancenter'... ERROR: HTTPSConnectionPool(host='center.conan.io', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:847)'),)) Unable to connect to conancenter=https://center.conan.io 1. Make sure the remote is reachable or, 2. Disable it by using conan remote disable, Then try again.
@lasote @memsharded can you please help. My entire pipeline is stuck
As I said our pipelines are stuck. I tried all the solutions you have mentioned above.
To install conan I am using pip install conan
@SSE4 or @uilianries could you verify the case of @Prasaddiwalkar? It seems that the docker image of gcc48 would simply have a very old system openssl that no longer works?
@SSE4 or @uilianries could you verify the case of @Prasaddiwalkar? It seems that the docker image of gcc48 would simply have a very old system openssl that no longer works?
@SSE4 or @uilianries Our entire pipeline is stuck since 3 days, no one is able to commit their changes to gitlab without build success. Please make it working asap
I'm investigating the broken conan debian installer and found something that can be useful, it is kind of a trick but it works, @uilianries @SSE4:
rm /etc/ssl/certs/DST_Root_CA_X3.pem
I'm investigating the broken conan debian installer and found something that can be useful, it is kind of a trick but it works, @uilianries @SSE4:
rm /etc/ssl/certs/DST_Root_CA_X3.pem
conan@7b9013285cdb:~$ ls -ltr /etc/ssl/certs/DST_Root_CA_X3.pem
lrwxrwxrwx 1 root root 53 Dec 17 2019 /etc/ssl/certs/DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
conan@7b9013285cdb:~$ rm /etc/ssl/certs/DST_Root_CA_X3.pem
rm: cannot remove '/etc/ssl/certs/DST_Root_CA_X3.pem': Permission denied
conan@7b9013285cdb:~$ sudo rm /etc/ssl/certs/DST_Root_CA_X3.pem
conan@7b9013285cdb:~$ ls -ltr /etc/ssl/certs/DST_Root_CA_X3.pem
ls: cannot access /etc/ssl/certs/DST_Root_CA_X3.pem: No such file or directory
conan@7b9013285cdb:~$ conan --version
WARN: Migration: This conan installation doesn't have settings yet
WARN: Nothing to migrate here, settings will be generated automatically
Removing the 'cacert.pem' file...
Conan version 1.40.3
conan@7b9013285cdb:~$ conan install zlib/1.2.11@
Auto detecting your dev setup to initialize the default profile (/home/conan/.conan/profiles/default)
CC and CXX: /usr/bin/gcc, /usr/bin/g++
Found gcc 4.8
Default settings
os=Linux
os_build=Linux
arch=x86_64
arch_build=x86_64
compiler=gcc
compiler.version=4.8
compiler.libcxx=libstdc++
build_type=Release
*** You can change them in /home/conan/.conan/profiles/default ***
*** Or override with -s compiler='other' -s ...s***
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=gcc
compiler.libcxx=libstdc++
compiler.version=4.8
os=Linux
os_build=Linux
[options]
[build_requires]
[env]
zlib/1.2.11: Not found in local cache, looking in remotes...
zlib/1.2.11: Trying with 'conan-center'...
zlib/1.2.11: WARN: Remote https://conan.bintray.com is deprecated and will be shut down soon.
zlib/1.2.11: WARN: Please use the new 'conancenter' default remote.
zlib/1.2.11: WARN: Add it to your remotes with: conan remote add -i 0 conancenter https://center.conan.io
ERROR: HTTPSConnectionPool(host='conan.bintray.com', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:847)'),))
Unable to connect to conan-center=https://conan.bintray.com
1. Make sure the remote is reachable or,
2. Disable it by using conan remote disable,
Then try again.
conan@7b9013285cdb:~$ conan config install https://github.com/conan-io/conanclientcert.git
Trying to clone repo: https://github.com/conan-io/conanclientcert.git
Repo cloned!
Copying file cacert.pem to /home/conan/.conan/.
Copying file LICENSE to /home/conan/.conan/.
conan@7b9013285cdb:~$ conan install zlib/1.2.11@
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=gcc
compiler.libcxx=libstdc++
compiler.version=4.8
os=Linux
os_build=Linux
[options]
[build_requires]
[env]
zlib/1.2.11: Not found in local cache, looking in remotes...
zlib/1.2.11: Trying with 'conan-center'...
zlib/1.2.11: WARN: Remote https://conan.bintray.com is deprecated and will be shut down soon.
zlib/1.2.11: WARN: Please use the new 'conancenter' default remote.
zlib/1.2.11: WARN: Add it to your remotes with: conan remote add -i 0 conancenter https://center.conan.io
ERROR: HTTPSConnectionPool(host='conan.bintray.com', port=443): Max retries exceeded with url: /v1/ping (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:847)'),))
Unable to connect to conan-center=https://conan.bintray.com
1. Make sure the remote is reachable or,
2. Disable it by using conan remote disable,
Then try again.
@Prasaddiwalkar
You are using conanio/gcc48
. That docker image has been deprecated some time ago, check https://github.com/conan-io/conan-docker-tools and also the note:
Warning: The images listed below are intended for generating open-source library packages and we cannot guarantee any kind of stability. We strongly recommend using your own generated images for production environments taking the dockerfiles in this repository as a reference.
It is normal that a non-production deprecated image, containing a completely unsecure openssl version from 2014 no longer works in 2021.
I found a possible solution, build OpenSSL 1.1.1l from sources, then build python. I'll provide a new Docker image for 4.8 and 4.9. I know they are deprecated, but still they are on useless state right now.
@Prasaddiwalkar a new Docker image should be available in few minutes.
If anyone is having problems with the deb package certificates, we have just released Conan 1.40.4 that should fix those problems. Please report if the problem persist.
If anyone is having problems with the deb package certificates, we have just released Conan 1.40.4 that should fix those problems. Please report if the problem persist.
I just updated to 1.40.4 and got the same HTTPSConnectionPool
error. Was there a a regression in the fix? I resolved the issue by running conan config
with the repo @memsharded linked above.
@kenfred you updated to 1.40.4 from which version? Was there a warning message, or anything in the output about migration? It would be great if you could reproduce somehow that upgrade, I guess that it is not trivial...
@memsharded Unfortunately, I do not know. I fired up WSL and received the error and assumed the conan update would fix it, as it it did on the Windows side. I'm guessing I was somewhere around v1.33, but can't be sure. Below I pasted the upgrade log from pip, if that will tell you anything.
pip3 install -U conan Collecting conan Downloading https://files.pythonhosted.org/packages/c8/f4/18ad4bbfdf1805ef6acca24e13e5691c7154361bcd99cd8a551cec801f8d/conan-1.40.4.tar.gz (698kB) 100% |████████████████████████████████| 706kB 1.3MB/s Collecting Jinja2<3,>=2.9 (from conan) Using cached https://files.pythonhosted.org/packages/7e/c2/1eece8c95ddbc9b1aeb64f5783a9e07a286de42191b7204d67b7496ddf35/Jinja2-2.11.3-py2.py3-none-any.whl Collecting PyJWT<2.0.0,>=1.4.0 (from conan) Using cached https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl Collecting PyYAML<6.0,>=3.11 (from conan) Using cached https://files.pythonhosted.org/packages/7a/5b/bc0b5ab38247bba158504a410112b6c03f153c652734ece1849749e5f518/PyYAML-5.4.1-cp36-cp36m-manylinux1_x86_64.whl Collecting bottle<0.13,>=0.12.8 (from conan) Using cached https://files.pythonhosted.org/packages/bf/44/aeafdd6ca05a8e1c3f91eeeb272a202d5cb1b3b23730a5ca686a81c48d24/bottle-0.12.19-py3-none-any.whl Collecting colorama<0.5.0,>=0.3.3 (from conan) Using cached https://files.pythonhosted.org/packages/44/98/5b86278fbbf250d239ae0ecb724f8572af1c91f4a11edf4d36a206189440/colorama-0.4.4-py2.py3-none-any.whl Collecting distro<=1.6.0,>=1.0.2 (from conan) Downloading https://files.pythonhosted.org/packages/b3/8d/a0a5c389d76f90c766e956515d34c3408a1e18f60fbaa08221d1f6b87490/distro-1.6.0-py2.py3-none-any.whl Collecting fasteners>=0.14.1 (from conan) Using cached https://files.pythonhosted.org/packages/31/91/6630ebd169ca170634ca8a10dfcc5f5c11b0621672d4c2c9e40381c6d81a/fasteners-0.16.3-py2.py3-none-any.whl Collecting future<0.19.0,>=0.16.0 (from conan) Collecting node-semver==0.6.1 (from conan) Using cached https://files.pythonhosted.org/packages/08/51/6cf3a2b18ca35cbe4ad3c7538a7c3dc0cb24e71629fb16e729c137d06432/node_semver-0.6.1-py3-none-any.whl Collecting patch-ng<1.18,>=1.17.4 (from conan) Collecting pluginbase>=0.5 (from conan) Collecting pygments<3.0,>=2.0 (from conan) Using cached https://files.pythonhosted.org/packages/78/c8/8d9be2f72d8f465461f22b5f199c04f7ada933add4dae6e2468133c17471/Pygments-2.10.0-py3-none-any.whl Collecting python-dateutil<3,>=2.7.0 (from conan) Using cached https://files.pythonhosted.org/packages/36/7a/87837f39d0296e723bb9b62bbb257d0355c7f6128853c78955f57342a56d/python_dateutil-2.8.2-py2.py3-none-any.whl Collecting requests<3.0.0,>=2.25 (from conan) Using cached https://files.pythonhosted.org/packages/92/96/144f70b972a9c0eabbd4391ef93ccd49d0f2747f4f6a2a2738e99e5adc65/requests-2.26.0-py2.py3-none-any.whl Collecting six<=1.16.0,>=1.10.0 (from conan) Downloading https://files.pythonhosted.org/packages/d9/5a/e7c31adbe875f2abbb91bd84cf2dc52d792b5a01506781dbcf25c91daf11/six-1.16.0-py2.py3-none-any.whl Collecting tqdm<5,>=4.28.1 (from conan) Downloading https://files.pythonhosted.org/packages/63/f3/b7a1b8e40fd1bd049a34566eb353527bb9b8e9b98f8b6cf803bb64d8ce95/tqdm-4.62.3-py2.py3-none-any.whl (76kB) 100% |████████████████████████████████| 81kB 3.7MB/s Collecting urllib3<1.27,>=1.26.6 (from conan) Downloading https://files.pythonhosted.org/packages/af/f4/524415c0744552cce7d8bf3669af78e8a069514405ea4fcbd0cc44733744/urllib3-1.26.7-py2.py3-none-any.whl (138kB) 100% |████████████████████████████████| 143kB 3.4MB/s Collecting MarkupSafe>=0.23 (from Jinja2<3,>=2.9->conan) Using cached https://files.pythonhosted.org/packages/fc/d6/57f9a97e56447a1e340f8574836d3b636e2c14de304943836bd645fa9c7e/MarkupSafe-2.0.1-cp36-cp36m-manylinux1_x86_64.whl Collecting idna<4,>=2.5; python_version >= "3" (from requests<3.0.0,>=2.25->conan) Using cached https://files.pythonhosted.org/packages/d7/77/ff688d1504cdc4db2a938e2b7b9adee5dd52e34efbd2431051efc9984de9/idna-3.2-py3-none-any.whl Collecting charset-normalizer~=2.0.0; python_version >= "3" (from requests<3.0.0,>=2.25->conan) Downloading https://files.pythonhosted.org/packages/3f/65/69e6754102dcd018a0f29e4db673372eb323ee504431125ab6c9109cb21c/charset_normalizer-2.0.6-py3-none-any.whl Collecting certifi>=2017.4.17 (from requests<3.0.0,>=2.25->conan) Using cached https://files.pythonhosted.org/packages/05/1b/0a0dece0e8aa492a6ec9e4ad2fe366b511558cdc73fd3abc82ba7348e875/certifi-2021.5.30-py2.py3-none-any.whl Building wheels for collected packages: conan Running setup.py bdist_wheel for conan ... done Stored in directory: /home/kfrederickson/.cache/pip/wheels/37/1e/4a/d39915ceeea4083435fb4db66f99d3e67e616e46731ee26162 Successfully built conan Installing collected packages: MarkupSafe, Jinja2, PyJWT, PyYAML, bottle, colorama, distro, six, fasteners, future, node-semver, patch-ng, pluginbase, pygments, python-dateutil, idna, urllib3, charset-normalizer, certifi, requests, tqdm, conan Successfully installed Jinja2-2.11.3 MarkupSafe-2.0.1 PyJWT-1.7.1 PyYAML-5.4.1 bottle-0.12.19 certifi-2021.5.30 charset-normalizer-2.0.6 colorama-0.4.4 conan-1.40.4 distro-1.6.0 fasteners-0.16.3 future-0.18.2 idna-3.2 node-semver-0.6.1 patch-ng-1.17.4 pluginbase-1.0.1 pygments-2.10.0 python-dateutil-2.8.2 requests-2.26.0 six-1.16.0 tqdm-4.62.3 urllib3-1.26.7
Nop, the pip install does nothing related to the cacert update. The important bit is the first Conan invocation that calls the migrations procedure.
Nop, the pip install does nothing related to the cacert update. The important bit is the first Conan invocation that calls the migrations procedure.
Ah there is the clue we needed:
WARN: Migration: Updating settings.yml WARN: **** WARN: settings.yml is locally modified, can't be updated WARN: The new settings.yml has been stored in: /home/kfrederickson/.conan/settings.yml.new WARN: **** WARN: **** WARN: 'cacert.pem' is locally modified, can't be updated WARN: The new 'cacert.pem' has been stored in: /home/kfrederickson/.conan/cacert.pem.new WARN: ****
If I had noticed that warning, I would have known cacert.pem was not updated. However, I have never modified it, so I'm surprised conan thinks I did and bailed on the replacement.
That is unexpected, yes. If you can forward us the 2 files (cacert.pem.new) and the previous cacert.pem from your cache (to info@conan.io), so we could check them, that could help.
Env
OS: Windows 10 conan: 1.40.2
Log
More Info
It worked well several days ago, but failed today.