[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

[ogrisel]

Recently we started to observe SSL: CERTIFICATE_VERIFY_FAILED errors on the appveyor build of scikit-learn, for instance:

```python-traceback Traceback (most recent call last): File "C:\Python27\lib\site-packages\wheelhouse_uploader\upload.py", line 45, in upload return self._try_upload_once(local_folder, container) File "C:\Python27\lib\site-packages\wheelhouse_uploader\upload.py", line 62, in _try_upload_once container = driver.get_container(container_name) File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 285, in get_container method='HEAD') File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 235, in request raw=raw, cdn_request=cdn_request) File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 163, in request raw=raw) File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 227, in request raw=raw) File "C:\Python27\lib\site-packages\libcloud\common\base.py", line 753, in request action = self.morph_action_hook(action) File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 294, in morph_action_hook self._populate_hosts_and_request_paths() File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 327, in _populate_hosts_and_request_paths osa = osa.authenticate(**kwargs) # may throw InvalidCreds File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 850, in authenticate return self._authenticate_2_0_with_api_key() File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 865, in _authenticate_2_0_with_api_key return self._authenticate_2_0_with_body(reqbody) File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 882, in _authenticate_2_0_with_body method='POST') File "C:\Python27\lib\site-packages\libcloud\common\base.py", line 851, in request raise ssl.SSLError(str(e)) SSLError: ('[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)',) Traceback (most recent call last): File "C:\Python27\lib\site-packages\wheelhouse_uploader\upload.py", line 45, in upload return self._try_upload_once(local_folder, container) File "C:\Python27\lib\site-packages\wheelhouse_uploader\upload.py", line 62, in _try_upload_once container = driver.get_container(container_name) File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 285, in get_container method='HEAD') File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 235, in request raw=raw, cdn_request=cdn_request) File "C:\Python27\lib\site-packages\libcloud\storage\drivers\cloudfiles.py", line 163, in request raw=raw) File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 227, in request raw=raw) File "C:\Python27\lib\site-packages\libcloud\common\base.py", line 753, in request action = self.morph_action_hook(action) File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 294, in morph_action_hook self._populate_hosts_and_request_paths() File "C:\Python27\lib\site-packages\libcloud\common\openstack.py", line 327, in _populate_hosts_and_request_paths osa = osa.authenticate(**kwargs) # may throw InvalidCreds File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 850, in authenticate return self._authenticate_2_0_with_api_key() File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 865, in _authenticate_2_0_with_api_key return self._authenticate_2_0_with_body(reqbody) File "C:\Python27\lib\site-packages\libcloud\common\openstack_identity.py", line 882, in _authenticate_2_0_with_body method='POST') File "C:\Python27\lib\site-packages\libcloud\common\base.py", line 851, in request raise ssl.SSLError(str(e))('[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)',) ('[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)',) ('[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)',) ```

We probably need to unpin the apache-libcloud dependency but that probably require to make a code update to wheelhouse-uploader itself.

[matthew-brett]

Oops - sorry I missed this issue. I don't know why this problem came up now, but the fix is to install certifi - as in:

https://github.com/MacPython/numpy-wheels/commit/c139b75fd07db3d4f83e50e6f6eacc7002368384

See also: https://github.com/matthew-brett/multibuild/issues/178

[ogrisel]

@matthew-brett I have released wheelhouse-uploader 0.9.7 with an explicit dependency on certifi but that does not seem to solve the SSL verification issue on this appveyor build:

https://ci.appveyor.com/project/sklearn-ci/scikit-learn/build/job/9knfe7ggk6emogto

The log shows that certifi-2018.4.16 has been installed (as a dependency from wheelhouse-uploader 0.9.7).

[matthew-brett]

You've still got '--no-ssl-check' set :)

[ogrisel]

ah yes, thanks.

[ogrisel]

@matthew-brett I just realized that I am the sole maintainer of wheelhouse-uploader. I've just sent you a github invite to get push rights on this repo.

I would also like to give you the rights on pypi.org if you agree. I would need your pypi.org username (or email address) to do so.

That would increase the bus factor to 2 for this infra tool project.

[matthew-brett]

Thanks - yes - that's fine - my PyPI username is matthew.brett

[ogrisel]

Done. Welcome on board :)

[ogrisel]

Closing the issue. I confirm that installing certifi and not using --no-ssl-check fixes the issue on appveyor.

The fact that the --no-ssl-check causes a SSL_VERIFY_FAILED error is probably a bug in its own respect but at least we now have a safe way to upload wheel from appveyor.