search

qgis / QGIS-Mac-Packager

Scripts for Official QGIS MacOS Packages
https://www.qgis.org
GNU General Public License v2.0
55 stars 21 forks source link

openssl cert.pem file not packaged #32

Closed PeterPetrik closed 4 years ago

PeterPetrik commented 4 years ago

see https://github.com/lutraconsulting/qgis-mergin-plugin/issues/70

if urllib is used directly with ssl (https), it fails to verify local certificate with error ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056) It does not happen with requests lib

the problem is that libcrypto is compiled with the certificate path pointing to homebrew's /usr/local dir. you can verify it by 

import ssl
ssl.get_default_verify_paths()
> DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/etc/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/etc/openssl/certs')
tpo commented 4 years ago

This is the same problem as this one: https://github.com/qgiscloud/qgis-cloud-plugin/issues/36

I have written a howto for working around the problem, however it would be much better to fix the problem in the packaging. The proposed solution is a hack, because I do not have a Mac at my disposal to do a thorough fix.

There's also a script to test the problem, that's handy when developping a fix: https://github.com/qgiscloud/qgis-cloud-plugin/blob/master/support/test_https_request_on_OSX.py . (The test script tries to connect to qgiscloud, but the URL is irrelevant, because the point is to test certificate path resolution by urllib/openssl).

tpo commented 4 years ago

I would think that:

  1. including the certifi package with the QGIS-Mac-Packager and
  2. setting an environment variable that extends openssl's search path for the root CA certificates file

would fix the issue. I gather that would be an "easy and correct" fix. However I have been unable to find info on how to do 2.

alexgleith commented 4 years ago

+1 to this issue. It happens with the latest release, 3.12.2-București on MacOS version 10.15.4 (19E287) and I see it in Curl issues with loading rasters over the network.

I get error messages like:

 Invalid Layer : GDAL provider Cannot open GDAL dataset /vsicurl/https://sentinel-cogs.s3.us-west-2.amazonaws.com/sentinel-s2-l2a-cogs/2020/S2A_30NVP_20200504_0_L2A/B02.tif:
             CURL error: error setting certificate verify locations:
              CAfile: /usr/local/etc/openssl/cert.pem
              CApath: /usr/local/etc/openssl/certs
             Raster layer Provider is not valid (provider: gdal, URI: /vsicurl/https://sentinel-cogs.s3.us-west-2.amazonaws.com/sentinel-s2-l2a-cogs/2020/
PeterPetrik commented 4 years ago

it looks like the ln -s /usr/local/etc/openssl@1.1 /usr/local/etc/openssl is needed on top of brew install openssl@1.1 as workaround

alexgleith commented 4 years ago

You're right, @PeterPetrik, that fixes the issue! Thank you so much for figuring it out. 👏 👏

PeterPetrik commented 4 years ago

related to https://github.com/qgis/QGIS/issues/37107