Closed PeterPetrik closed 4 years ago
This is the same problem as this one: https://github.com/qgiscloud/qgis-cloud-plugin/issues/36
I have written a howto for working around the problem, however it would be much better to fix the problem in the packaging. The proposed solution is a hack, because I do not have a Mac at my disposal to do a thorough fix.
There's also a script to test the problem, that's handy when developping a fix: https://github.com/qgiscloud/qgis-cloud-plugin/blob/master/support/test_https_request_on_OSX.py . (The test script tries to connect to qgiscloud, but the URL is irrelevant, because the point is to test certificate path resolution by urllib/openssl).
I would think that:
would fix the issue. I gather that would be an "easy and correct" fix. However I have been unable to find info on how to do 2.
+1 to this issue. It happens with the latest release, 3.12.2-București
on MacOS version 10.15.4 (19E287)
and I see it in Curl issues with loading rasters over the network.
I get error messages like:
Invalid Layer : GDAL provider Cannot open GDAL dataset /vsicurl/https://sentinel-cogs.s3.us-west-2.amazonaws.com/sentinel-s2-l2a-cogs/2020/S2A_30NVP_20200504_0_L2A/B02.tif:
CURL error: error setting certificate verify locations:
CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
Raster layer Provider is not valid (provider: gdal, URI: /vsicurl/https://sentinel-cogs.s3.us-west-2.amazonaws.com/sentinel-s2-l2a-cogs/2020/
it looks like the ln -s /usr/local/etc/openssl@1.1 /usr/local/etc/openssl
is needed on top of brew install openssl@1.1
as workaround
You're right, @PeterPetrik, that fixes the issue! Thank you so much for figuring it out. 👏 👏
related to https://github.com/qgis/QGIS/issues/37107
see https://github.com/lutraconsulting/qgis-mergin-plugin/issues/70
if urllib is used directly with ssl (https), it fails to verify local certificate with error
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
It does not happen with requests libthe problem is that libcrypto is compiled with the certificate path pointing to homebrew's /usr/local dir. you can verify it by