In venv after upgrading to PIP version 24.2 looks like it stopped paying attention to --cert option, cert configuration parameter in pip.conf, and PIP_CERT variable and generates SSL Verification error.
Expected behavior
As a valid root certificate is provided with truststore, I expect SSL handshake to complete without errors.
The only way to fix this error is to define a trusted-host in the pip.conf like this:
trusted-host = my-nexus.server.private
This has a definite drawback of turning off SSL verification.
Specifying --cert option with a pip command or defining PIP_CERT or REQUESTS_CA_BUNDLE environment variables has no effect
Output
The --upgrade command produced the following output
Looking in indexes: https://my-nexus.server.private/nexus/repository/pypi-all/simple
Requirement already satisfied: pip in /REDACTED/venv/lib/python3.12/site-packages (24.0)
Collecting pip
Using cached https://my-nexus.server.private/nexus/repository/pypi-all/packages/pip/24.2/pip-24.2-py3-none-any.whl (1.8 MB)
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 24.0
Uninstalling pip-24.0:
Successfully uninstalled pip-24.0
Successfully installed pip-24.2
The subsequent pip install command fails
Looking in indexes: https://my-nexus.server.private/nexus/repository/pypi-all/simple
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))': /nexus/repository/pypi-all/simple/packaging/
Could not fetch URL https://my-nexus.server.private/nexus/repository/pypi-all/simple/packaging/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='my-nexus.server.private', port=443): Max retries exceeded with url: /nexus/repository/pypi-all/simple/packaging/ (Caused by SSLError(SSLCertVerificationError('“my-nexus.server.private” certificate is not standards compliant'))) - skipping
ERROR: Could not find a version that satisfies the requirement packaging==24.1 (from versions: none)
Description
In venv after upgrading to PIP version 24.2 looks like it stopped paying attention to
--cert
option,cert
configuration parameter inpip.conf
, andPIP_CERT
variable and generates SSL Verification error.Expected behavior
As a valid root certificate is provided with truststore, I expect SSL handshake to complete without errors.
pip version
24.2
Python version
3.12.4
OS
Mac OS Sonoma 14.7 (23H124)
How to Reproduce
pip.conf configured like this
/Users/myuser/.ssl/cacert.pem
contains private root certificate formy-nexus.server.private
This setup works fine for
venv
bundled pip version (24.0)The following is a sample
requirements.txt
Here is the script to run
The only way to fix this error is to define a
trusted-host
in thepip.conf
like this:This has a definite drawback of turning off SSL verification.
Specifying
--cert
option with apip
command or definingPIP_CERT
orREQUESTS_CA_BUNDLE
environment variables has no effectOutput
The
--upgrade
command produced the following outputThe subsequent
pip install
command failsCode of Conduct