search

conda / constructor

tool for creating installers from conda packages
https://conda.github.io/constructor/
Other
457 stars 167 forks source link

constructor does not respect ssl_verify set manually or in condarc #851

Open millsks opened 2 weeks ago

millsks commented 2 weeks ago

Checklist

What happened?

When executing constructor I receive SSL verify errors because of a self-signed certificate chain. This is normally taken care of with specifying the CA cert in ssl_verify or by using truststore to let it default to the CA cert stores on the server. No matter what I set the value of ssl_verify the value in the conda_context.ssl_verify referenced in fcp.py is always set to True. The only way I can get it to override is to use the environment variables CONDA_SSL_VERIFY=False or the REQUESTS_CA_BUNDLE with the path to a specific CA cert.

Is this by design or should the ssl_verify set in condarc be honored?

Additional Context

I am using micromamba 1.5.7-0 on Linux with the latest version of constructor. The issue is happening on a closed system that I do not have the ability to share screenshots.

jaimergp commented 2 weeks ago

Yea, this block is problematic:

https://github.com/conda/constructor/blob/00d82305994fb4cee0c64949dedb0e8bc4f81ccb/constructor/fcp.py#L478-L490

We'll need to improve the logic there a bit. Thanks for the report.

jaimergp commented 6 days ago

@millsks, I opened https://github.com/conda/constructor/pull/860. Can you give it a try locally and see if it fixes your issue?

millsks commented 6 hours ago

Looks good from my local run with your ssl-verify branch. I put in print(f"conda_context.ssl_verify: {conda_context.ssl_verify}") after line 463 on constructor/fcp.py to verify in the output.

$ conda config --set ssl_verify true
$ grep ^ssl_verify ~/.condarc
ssl_verify: true
$ constructor Miniforge3 --dry-run --debug 2>&1|grep ssl_verify
conda_context.ssl_verify: True
^C
$ conda config --set ssl_verify false
$ grep ^ssl_verify ~/.condarc
ssl_verify: false
$ constructor Miniforge3 --dry-run --debug 2>&1|grep ssl_verify
conda_context.ssl_verify: False
^C
$ conda config --set ssl_verify truststore
$ grep ^ssl_verify ~/.condarc
ssl_verify: truststore
$ constructor Miniforge3 --dry-run --debug 2>&1|grep ssl_verify
conda_context.ssl_verify: truststore
^C
millsks commented 5 hours ago

This is the version that is installed on my local system using your branch.

$ constructor --version
constructor 2.0.3.dev689+gbb1c92a
$ conda list|grep ^constructor
constructor               2.0.3.dev689+gbb1c92a          pypi_0    pypi