Open benoit-pierre opened 3 years ago
Is there a simple fix for this issue? Can we do whatever /Applications/Python 3.6/Install Certificates.command
does after a "regular" install?
I just bypass the issue by setting the SSL_CERT_FILE
environment variable (e.g. to the output of python -m pip._vendor.certifi
or python -m certifi
).
For reference this is the contents of the Python 3.8 script:
#!/bin/sh
/Library/Frameworks/Python.framework/Versions/3.8/bin/python3.8 << "EOF"
# install_certifi.py
#
# sample script to install or update a set of default Root Certificates
# for the ssl module. Uses the certificates provided by the certifi package:
# https://pypi.org/project/certifi/
import os
import os.path
import ssl
import stat
import subprocess
import sys
STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
| stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
| stat.S_IROTH | stat.S_IXOTH )
def main():
openssl_dir, openssl_cafile = os.path.split(
ssl.get_default_verify_paths().openssl_cafile)
print(" -- pip install --upgrade certifi")
subprocess.check_call([sys.executable,
"-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])
import certifi
# change working directory to the default SSL directory
os.chdir(openssl_dir)
relpath_to_certifi_cafile = os.path.relpath(certifi.where())
print(" -- removing any existing file or link")
try:
os.remove(openssl_cafile)
except FileNotFoundError:
pass
print(" -- creating symlink to certifi certificate bundle")
os.symlink(relpath_to_certifi_cafile, openssl_cafile)
print(" -- setting permissions")
os.chmod(openssl_cafile, STAT_0o775)
print(" -- update complete")
if __name__ == '__main__':
main()
EOF
so it looks like there may be another issue to solve here
managed_python3
Python 3.9.10 (v3.9.10:f2f3f53782, Jan 13 2022, 16:55:46)
[Clang 13.0.0 (clang-1300.0.29.30)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> import ssl
>>> import certifi
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl/certs')
>>> openssl_dir, openssl_cafile = os.path.split(ssl.get_default_verify_paths().openssl_cafile)
>>> openssl_dir, openssl_cafile
('/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl', 'cert.pem')
>>> certifi.where()
'/Library/ManagedFrameworks/Python/Python3.framework/Versions/3.9/lib/python3.9/site-packages/certifi/cacert.pem'
certifi
seems to get the right path, but ssl
functions are pulling the non relocatable path :/
hm,
ls -la /Library/ManagedFrameworks/Python/Python3.framework/Versions/3.9/etc/openssl
total 0
drwxr-xr-x 2 root wheel 64 Feb 8 16:48 .
drwxr-xr-x 3 root wheel 96 Feb 8 16:48 ..
This implies that when openssl is pip installed
it installs to the wrong path
The documentation should mention that SSL certificates are not configured (the equivalent of calling
/Applications/Python 3.6/Install Certificates.command
after a regular install). pip will still work fine, since it uses its own vendored-in copy of certifi, but standard library calls tourlopen
and the like may fail.