search

pypa / pip

The Python package installer
https://pip.pypa.io/
MIT License
9.51k stars 3.02k forks source link

Getting SSLError(SSLCertVerificationError('“PRIVATE.CERT” certificate is not standards compliant')) after upgrading to pip 24.2 #12995

Open apogrebnyak opened 1 week ago

apogrebnyak commented 1 week ago

Description

In venv after upgrading to PIP version 24.2 looks like it stopped paying attention to --cert option, cert configuration parameter in pip.conf, and PIP_CERT variable and generates SSL Verification error.

Expected behavior

As a valid root certificate is provided with truststore, I expect SSL handshake to complete without errors.

pip version

24.2

Python version

3.12.4

OS

Mac OS Sonoma 14.7 (23H124)

How to Reproduce

pip.conf configured like this

$ cat ~/.pip/pip.conf
[global]
index = https://my-nexus.server.private/nexus/repository/pypi-all/pypi
index-url = https://my-nexus.server.private/nexus/repository/pypi-all/simple
cert = /Users/myuser/.ssl/cacert.pem

/Users/myuser/.ssl/cacert.pem contains private root certificate for my-nexus.server.private

This setup works fine for venv bundled pip version (24.0)

The following is a sample requirements.txt

packaging==24.1

Here is the script to run

python3 -m venv venv

source venv/bin/activate

python3 -m pip install --upgrade pip # This runs fine

python3 -m pip install --requirement requirements.txt # Fails

The only way to fix this error is to define a trusted-host in the pip.conf like this:

trusted-host = my-nexus.server.private

This has a definite drawback of turning off SSL verification.

Specifying --cert option with a pip command or defining PIP_CERT or REQUESTS_CA_BUNDLE environment variables has no effect

Output

The --upgrade command produced the following output

Looking in indexes: https://my-nexus.server.private/nexus/repository/pypi-all/simple
Requirement already satisfied: pip in /REDACTED/venv/lib/python3.12/site-packages (24.0)
Collecting pip
  Using cached https://my-nexus.server.private/nexus/repository/pypi-all/packages/pip/24.2/pip-24.2-py3-none-any.whl (1.8 MB)
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 24.0
    Uninstalling pip-24.0:
      Successfully uninstalled pip-24.0
Successfully installed pip-24.2

The subsequent pip install command fails

Looking in indexes: https://my-nexus.server.private/nexus/repository/pypi-all/simple
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
Could not fetch URL https://my-nexus.server.private/nexus/repository/pypi-all/simple/packaging/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='my-nexus.server.private', port=443): Max retries exceeded with url: /nexus/repository/pypi-all/simple/packaging/ (Caused by SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))) - skipping
ERROR: Could not find a version that satisfies the requirement packaging==24.1 (from versions: none)

Code of Conduct

notatallshaw commented 1 week ago

Does running with the flag --use-deprecated=legacy-certs make any difference?