search

migration-test / GithubMigrate

A migration tool to migrate GitHub repositories, issues, PR's
Apache License 2.0
0 stars 0 forks source link

Pip SSL issue #20

Open phillipbroberts opened 3 years ago

phillipbroberts commented 3 years ago

Hi getting this error while installing requirements:

PS C:\github\GithubMigrate\GithubMigrate> pip install -f ./requirements.txt ERROR: You must give at least one requirement to install (maybe you meant "pip install ./requirements.txt"?) Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)'))) - skipping PS C:\github\GithubMigrate\GithubMigrate> python.exe --version Python 3.9.5 PS C:\github\GithubMigrate\GithubMigrate> pip --version pip 21.1.1 from c:\users\105710986\appdata\local\programs\python\python39\lib\site-packages\pip (python 3.9) PS C:\github\GithubMigrate\GithubMigrate>

Workaround: pip --trusted-host pypi.org --trusted-host files.pythonhosted.org

we may need to include into the documentation

phillipbroberts commented 3 years ago

He probably means pip install -r ./requirements.txt

Reference: https://pip.pypa.io/en/stable/cli/pip_install/#install-requirement

I believe the SSL error is due to the BH self-signed certificate, which is an ongoing issue with Global Connect. image

phillipbroberts commented 3 years ago

@chriswblake I am not certain why I never saw these errors though? This seems like a larger issue than just with this Github Migration script. Do you guys think something should be escalated within Baker Hughes to get SSL correct?

phillipbroberts commented 3 years ago

Are you connecting via VPN (Cisco AnyConnect) or Global Connect? I don't believe VPN has that problem. (not personally verified)

phillipbroberts commented 3 years ago

I am on AnyConnect still, had problems with Global Connect and haven't had a moment to resolve it.

I did get SSL errors on the requests calls, hence the original SSL fix where we include the ca file in every call to the GitHub API. Just never ran into the pip issue.

If I can get this packaged before end of week, the pip issue won't exist, I am just worried that we will find more SSL issues once this gets released to the wider audience.

phillipbroberts commented 3 years ago

Using BH Laptop and Global Protect Using an AWS EC2 the error is not coming. It's definitely an issue of Laptop. My suggestion is just to adjust the readme file, adding the option.

phillipbroberts commented 3 years ago

Using BH Laptop and Global Protect

I assume this is saying: "(I also get the error) using BH Laptop and Global Protect"

Using an AWS EC2 the error is not coming. It's definitely an issue of Laptop.

I don't think it is the laptop. I think it is the connection. I am fine if I turn Global Connect off and am not on BH network.

My suggestion is just to adjust the readme file, adding the option.

What exactly are you suggesting to add to the readme file? The only solution I know is to install additional certificates. Expecting every user to do that is definitely going to fail. https://mattferderer.com/fix-git-self-signed-certificate-in-certificate-chain-on-windows

phillipbroberts commented 3 years ago

This workaround worked for Mike.

Workaround: pip --trusted-host pypi.org --trusted-host files.pythonhosted.org

I think this is what he is suggesting is added to the ReadMe file. Like the other solution you have @chriswblake I am concerned this will fail on a larger audience.

phillipbroberts commented 3 years ago

I don't really understand how that solution solves the self-signed certificate issue, but if it solves it, then I won't argue.! :)

phillipbroberts commented 3 years ago

Hey @chriswblake and @mikeviviani -

I resolved this by having GitHub Actions compile the python source into distributable binaries for windows and non windows based systems. You can find the latest binary in the releases section, I will also be linking it from the documentation. There are a couple of small bugs I will have worked out today with it.

  1. Compiling the self-signed cert into the binary does no good and is ultimately ignored by the compiler, we will need to find a different way to distribute the self-signed cert bundle and it will have to be part of a config file
  2. I need to wrap pathing calls with the PathLib library so paths are automatically converted based on OS

Both of these are easy to achieve, shouldn't take me long to do this morning, I intended on doing them yesterday but wasn't feel well and needed to rest and see my doctor.

Unless one of you object, I am closing this as resolved though, PIP is no longer required. As a matter of fact there are no prerequisites for the system now as everything is compiled together.