dstufft
commented
8 years ago What OS?
Closed thatrevguy closed 8 years ago
dstufft
commented
8 years ago What OS?
thatrevguy
commented
8 years ago This is on CentOS Linux release 7.2.1511 (Core)
vcabbage
commented
8 years ago I see the same issue on CentOS Linux release 7.2.1511 (Core) (as a docker container).
dstufft
commented
8 years ago What does python -c "import ssl; print(ssl.get_default_verify_paths())" give you?
andrew-regan
commented
8 years ago [root@a81f5f2b0fe8 /]# python -c "import ssl; print(ssl.get_default_verify_paths())" DefaultVerifyPaths(cafile='/etc/pki/tls/cert.pem', capath='/etc/pki/tls/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')
thatrevguy
commented
8 years ago Look the same for me as well:
DefaultVerifyPaths(cafile='/etc/pki/tls/cert.pem', capath='/etc/pki/tls/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')Is anything in /etc/pki/tls/certs?
vcabbage
commented
8 years ago [root@ac3505a069c3 /]# ls -la /etc/pki/tls/certs
total 8
drwxr-xr-x 2 root root 4096 Jan 7 18:37 .
drwxr-xr-x 8 root root 4096 Jan 21 20:35 ..
lrwxrwxrwx 1 root root 49 Dec 23 18:08 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root 55 Dec 23 18:08 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crtUgh.
So CentOS ships with a broken OpenSSL CAPath value set (I think? that or request's ability to us a CAPath is broken), which 8.0.1 switched to trusting a CAPath because Debian ships a broken CAFile.
thatrevguy
commented
8 years ago That would make some sense... have a project using requests 2.9.1 and have to manually specify path to a pem containing cert chain with '''verify=''' key word argument. Even after running the pem through update-ca-trust...
Jumping into requests rabbit hole now...
justinta
commented
8 years ago I'm seeing this on Fedora 22 as well as centos7. @dstufft
dstufft
commented
8 years ago I'm going to be cutting a new 8.0.2 and we're just going to stop trying to trust the OS provided SSL certificates, because apparently nobody can manage to ship an unbroken OpenSSL.
andrew-regan
commented
8 years ago :+1:
thatrevguy
commented
8 years ago Requests 2.9.1 is searching for two environment variables to resolve ca-bundle in sessions.py
if verify is True or verify is None:
verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
os.environ.get('CURL_CA_BUNDLE'))REQUESTS_CA_BUNDLE is in their docs:
http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification
CURL_CA_BUNDLE is not set in my OS env or mentioned in their docs.
If neither of those are set it uses certifi which apparently uses some bundled pem file...
Was able to get pip 8.0.1 working after running:
export REQUESTS_CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt"
semarj
commented
8 years ago Hitting this on Amazon Linux as well.
$ cat /etc/system-release
Amazon Linux AMI release 2015.09$ ls -la /etc/pki/tls/certs/
total 1924
drwxr-xr-x 2 root root 4096 Jan 21 22:52 .
drwxr-xr-x 5 root root 4096 Jan 21 22:52 ..
-rw-r--r-- 1 root root 877042 Oct 16 21:04 ca-bundle.crt
-rw-r--r-- 1 root root 1066943 Oct 16 21:04 ca-bundle.trust.crt
-rwxr-xr-x 1 root root 610 Dec 9 18:29 make-dummy-cert
-rw-r--r-- 1 root root 2388 Dec 9 18:29 Makefile
-rwxr-xr-x 1 root root 829 Dec 9 18:29 renew-dummy-cert8.0.2 is out now.
lorengordon
commented
8 years ago Thanks, I ran into this late yesterday when one of my builds started failing. Tested with 8.0.2 this morning and it's now working with both Amazon Linux 2015.9 and CentOS 6.
riddhik84
commented
8 years ago I see this issue on windows 10 machine. What is the default cert path on windows 10? Currently the output of command python -c "import ssl; print(ssl.get_default_verify_paths())" gives me below output: DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
But user/local/ssl/certs path is not there in windows, so how can I change it?
a3rosol
commented
8 years ago same issue as @riddhik84, pip and requests fail with that error on Windows 10
asadkhancs
commented
8 years ago Hey anyone got any luck on pip issue on windows 10
riddhik84
commented
8 years ago Hey!! I got it resolved.... I used pip command as below and it worked for me.
pip install --trusted-host pypi.python.org django
Hope it helps. :)
asadkhancs
commented
8 years ago Thanks , I resolved by manually installing .
On Thu, 24 Nov 2016 at 3:58 PM, Riddhi K notifications@github.com wrote:
Hey!! I got it resolved.... I used pip command as below and it worked for me.
pip install --trusted-host pypi.python.org http://pypi.python.org django
Hope it helps. :)
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pypa/pip/issues/3415#issuecomment-262742621, or mute the thread https://github.com/notifications/unsubscribe-auth/AWngBWVC57f9iamAeTduB8-t0LS0JPbHks5rBWbegaJpZM4HJ2ed .
kalez
commented
7 years ago " pip install --trusted-host pypi.python.org
kbrowder
commented
7 years ago Sorry to bring up an old issue but i'm noticing this in pip 9.0.1 on Centos 6 and 7 and python 3.6.1
Adding export REQUESTS_CA_BUNDLE="/etc/pki/tls/certs/ca-bundle.crt" solves it but seems sub-optimal.
Anyone else seen this?
scottwoodall
commented
7 years ago To add another solution. After a fresh install of Ubuntu 16.04 I was trying to install Django but geting an error:
pip install -vvv django
<snip>
File "/home/scott/.virtualenvs/testing/share/python-wheels/requests-2.9.1-py2.py3-none-any.whl/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: unknown error (_ssl.c:3053)
(testing) scott@dev:~$ pip --version
pip 8.1.1 from /home/scott/.virtualenvs/testing/lib/python3.5/site-packages (python 3.5)My /etc/ssl/certs/ca-certificates.crt file was empty so I ran sudo update-ca-certificates which populated the ca-certificates.crt file and then everything started working.
iceflame89
commented
6 years ago The system time (too late or too early) could cause ssl verification failed.
JPvRiel
commented
6 years ago Anyone else seen this?
Saw it on CentOS 7.5 with pip 8.1.2. Exporting REQUESTS_CA_BUNDLE via an /etc/profile.d/ssl_env.sh file was my permanent work-around.
Clearly, this issue isn't resolved for major Linux distro's like RedHat/CentOS/Fedora because of where the requests module, via the certifi module, looks for CA files by default... RedHat/CentOS command update-ca-trust only adds bundles into /etc/pki/... locations I think, and certifi decided to not trust/include/use OS CA bundles, but be a strict curated set of certs.
$ python -c 'import certifi; print(certifi.where())'
/usr/lib/python2.7/site-packages/certifi/cacert.pem
RonnyPfannschmidt
commented
6 years ago @JPvRiel for enterprise distributions that ship out really old versions + patches - get in touch with your vendor - pip is a few major releases advanced already and as a volunteer project it certainly wont sort out issues with gravely outdated enterprise vendor deployments
JPvRiel
commented
6 years ago @RonnyPfannschmidt fair enough if the vendor is being tardy about shipping upgraded pip versions. Could be that RedHat hasn't been able to get past yum's dependency on older python 2 libs and versions, plus possibly not testing for breaking changes with newer pip versions... That said, REQUESTS_CA_BUNDLE env var options is at least noteworthy should other people find this issue because they're stuck with "gravely outdated enterprise vendor deployments".
lock[bot]
commented
5 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Upgrade to pip 8.0.1 on Python 2.7.5 and can no longer use pip install...
Example: