search

sethmlarson / truststore

Verify certificates using OS trust stores
https://truststore.readthedocs.io
MIT License
151 stars 18 forks source link

`certificate verify failed: self-signed certificate in certificate chain` when installing a zip file from github #123

Closed bindreams closed 6 months ago

bindreams commented 8 months ago

When installing a package from a zip file, like this:

pip install https://github.com/goldmann/docker-squash/archive/4a7fc2c3a2175d868ff60eefdbab53240a7641d5.zip --use-
feature=truststore

I received the following error:

Collecting https://github.com/goldmann/docker-squash/archive/4a7fc2c3a2175d868ff60eefdbab53240a7641d5.zip
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))': /goldmann/docker-squash/archive/4a7fc2c3a2175d868ff60eefdbab53240a7641d5.zip
[...]
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /goldmann/docker-squash/archive/4a7fc2c3a2175d868ff60eefdbab53240a7641d5.zip (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))

I'm not sure if installing via a zip file specifically is the issue, because AFAIK our pypi certificates are not being substituted by corporate. I can confirm that curl https://github.com works without any cert problems. Also, using the pip-system-certs package instead of the truststore option worked in this case.

From my limited understanding, it seems that in our corporate environment github returns a certificate signed by our corporate root CA with no intermediates. This root CA was manually installed using ca-certificates package on ubuntu 22.04.

sethmlarson commented 8 months ago

Thanks for opening this. Our implementation of loading certificates on Linux/OpenSSL is fairly straightforward, we look in the OpenSSL-configured default location first and then investigate a few standard locations where certificates tend to be (based on Christian Heimes' list).

If you could look at our implementation and then see where things are going wrong on your machine that would help greatly in case others are experiencing this issue as well. Unfortunately because your issue likely is being caused by your specific environment/configuration it's unlikely we'll be able to help you more than this. I hope this is enough to figure out the root cause and report back?

sethmlarson commented 7 months ago

@andreasxp Could you provide the path that ca-certificates certificate bundle is installed at in addition to the output of the following Python script:

import ssl
print(ssl.get_default_verify_paths())

Without this information it's not possible to debug your issue. Thank you!

bindreams commented 6 months ago

Hi again, it seems I can no longer reproduce the issue. Time heals all wounds I guess 🤷