SSLCertVerificationError with self-signed certificates

[mrtnbrst]

Checklist

• [X] I added a descriptive title
• [X] I searched open reports and couldn't find a duplicate

What happened?

The error shows when conda-lock is used in combination with self-signed certificates. The error originates from the requests library, as described in https://github.com/psf/requests/pull/6074. As of this moment, request does not want to provide a way to globally disable ssl verification anymore. A possible solution would be handling it like Poetry by adding a configuration for disabling the verification (https://github.com/python-poetry/poetry/issues/1556) and pass the verify=False keyword.

The "setting" verify=False would also need to be passed down to the ensureconda package it seems.

conda-lock -f .\environment.yml

Traceback (most recent call last): File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 711, in urlopen self._prepare_proxy(conn) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 1007, in _prepare_proxy conn.connect() File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connection.py", line 419, in connect self.sock = ssl_wrapsocket( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\ssl.py", line 449, in ssl_wrap_socket ssl_sock = _ssl_wrap_socketimpl( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\ssl.py", line 493, in _ssl_wrap_socket_impl return ssl_context.wrap_socket(sock, server_hostname=server_hostname) File "c:\program files (x86)\python\lib\ssl.py", line 500, in wrap_socket return self.sslsocket_class._create( File "c:\program files (x86)\python\lib\ssl.py", line 1040, in _create self.do_handshake() File "c:\program files (x86)\python\lib\ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\adapters.py", line 486, in send resp = conn.urlopen( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 798, in urlopen retries = retries.increment( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\retry.py", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.anaconda.org', port=443): Max retries exceeded with url: /package/anaconda/conda-standalone/files (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "c:\program files (x86)\python\lib\runpy.py", line 194, in _run_module_as_main return _run_code(code, main_globals, None, File "c:\program files (x86)\python\lib\runpy.py", line 87, in _run_code exec(code, run_globals) File "c:\users\borstm.local\bin\conda-lock.exe__main.py", line 7, in File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1157, in call return self.main(*args, kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1078, in main rv = self.invoke(ctx) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1688, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1434, in invoke return ctx.invoke(self.callback, ctx.params) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 783, in invoke return callback(*args, *kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\decorators.py", line 33, in new_func return f(get_current_context(), args, kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\conda_lock.py", line 1380, in lock lock_func( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\conda_lock.py", line 1085, in run_lock _conda_exe = determine_conda_executable( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 56, in determine_conda_executable for candidate in _determine_conda_executable(conda_executable, mamba, micromamba): File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 50, in _determine_conda_executable yield _ensureconda(mamba=mamba, micromamba=micromamba, conda=True, conda_exe=True) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 30, in _ensureconda _conda_exe = ensureconda( File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\api.py", line 116, in ensureconda maybe_exe = install_conda_exe() File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\installer.py", line 57, in install_conda_exe resp = request_url_with_retry(url) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\installer.py", line 25, in request_url_with_retry resp = requests.get(url, allow_redirects=True) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\api.py", line 73, in get return request("get", url, params=params, kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\api.py", line 59, in request return session.request(method=method, url=url, kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\sessions.py", line 589, in request resp = self.send(prep, send_kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\sessions.py", line 703, in send r = adapter.send(request, **kwargs) File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\adapters.py", line 517, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='api.anaconda.org', port=443): Max retries exceeded with url: /package/anaconda/conda-standalone/files (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

Conda Info

No response

Conda Config

ssl_verify: False
proxy_servers:
  http: http://xxxxxx:8080
  https: http://xxxxxx:8080
channels:
  - defaults
show_channel_urls: True

Conda list

No response

Additional Context

No response

[maresb]

I don't like the idea of being able to disable TLS verification within config since disabling TLS should be an active action.

Perhaps we could add a CLI flag like --insecure-skip-tls-verify? Would you be interested in opening a PR for this?

[mrtnbrst]

I'll try to do the required PR for the ensureconda package and then come back here afterwards.

BR Martin

[mrtnbrst]

I didn't manage to get it to work with certificates. It works from the home office which is good enough for now.