search

ros-infrastructure / rosdistro

Tools to work with catkinized rosdistro files
Other
7 stars 40 forks source link

Fix SSL certificate verification issue #161

Closed kunaltyagi closed 2 years ago

kunaltyagi commented 3 years ago

Detected while using rosdep (https://github.com/ros-infrastructure/rosdep/pull/808)

kunaltyagi commented 3 years ago

Post the changes in linked PR, the errors detected are:

#7 37.97 Wrote /etc/ros/rosdep/sources.list.d/20-default.list
#7 37.97 Recommended: please run
#7 37.97 
#7 37.97        rosdep update
#7 37.97 
#7 69.46 Warning: running 'rosdep update' as root is not recommended.
#7 69.46   You should run 'sudo rosdep fix-permissions' and invoke 'rosdep update' again without sudo.
#7 69.46 ERROR: error loading sources list:
#7 69.46        <urlopen error <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)> (https://raw.githubusercontent.com/ros/rosdistro/master/index-v4.yaml)>
#7 69.46 reading in sources list data from /etc/ros/rosdep/sources.list.d
#7 69.46 Hit https://raw.githubusercontent.com/ros/rosdistro/master/rosdep/osx-homebrew.yaml
#7 69.46 Hit https://raw.githubusercontent.com/ros/rosdistro/master/rosdep/base.yaml
#7 69.46 Hit https://raw.githubusercontent.com/ros/rosdistro/master/rosdep/python.yaml
#7 69.46 Hit https://raw.githubusercontent.com/ros/rosdistro/master/rosdep/ruby.yaml
#7 69.46 Hit https://raw.githubusercontent.com/ros/rosdistro/master/releases/fuerte.yaml
#7 69.46 Query rosdistro index https://raw.githubusercontent.com/ros/rosdistro/master/index-v4.yaml
------

Investigation pointed to a urlopen without a SSL context from rosdistro

kunaltyagi commented 3 years ago

Sole CI error is for Python 3.5 which is EOL

cottsay commented 2 years ago

PEP 476 states that the default Python behavior is to use the system default certificate database. Manually supplying the context to use certifi, which explicitly states that it is the Mozilla collection, overrides that behavior.

The problem isn't that a context isn't provided, it's that your system's default certificate database isn't able to verify the connection, but Mozilla's database is.

I'm moderately confident that this is a problem with your system configuration.

kunaltyagi commented 2 years ago

This is an issue with the distro, so can't really keep this open