pixi icon indicating copy to clipboard operation
pixi copied to clipboard
verified publisher icon prefix-dev

Invalid peer certificate with `--tls-no-verify`

Open zen-xu opened this issue 1 year ago • 13 comments

Checks

  • [X] I have checked that this issue has not already been reported.

  • [X] I have confirmed this bug exists on the latest version of pixi, using pixi --version.

Reproducible example

image

Issue description

I installed a pypi package published on nexus using the latest pixi on the company's intranet server, but encountered invalid peer certificate: UnknownIssuer image

Expected behavior

--tls-no-verify should work

zen-xu avatar Sep 05 '24 03:09 zen-xu

Additionally, version 0.28.2 does not have this issue.

It seems to be related to #1929

zen-xu avatar Sep 05 '24 05:09 zen-xu

That is strange! How did you install pixi?

baszalmstra avatar Sep 05 '24 05:09 baszalmstra

download it from github

zen-xu avatar Sep 05 '24 05:09 zen-xu

Or is it possible to provide an option for specifying a self-signed certificate?

zen-xu avatar Sep 05 '24 05:09 zen-xu

You should be able to add the certificate to your oses certificate store and it should be picked up.

Ill investigate the regression.

baszalmstra avatar Sep 05 '24 05:09 baszalmstra

I have added the certificate to /etc/ssl/certs/, version 0.28.2 can recognize it well, but version 0.29.0 cannot.

zen-xu avatar Sep 05 '24 06:09 zen-xu

Ah this seems to be due to an update in uv: https://github.com/astral-sh/uv/pull/6591 .

This is handled differently now between uv and pixi.. Looping in @tdejager . I think this kind of setup would also be much better for pixi but it would require a little refactoring. WDYT?

baszalmstra avatar Sep 05 '24 06:09 baszalmstra

@zen-xu As a workaround you could try setting the SSL_CERT_FILE and/or SSL_CLIENT_CERT environment variables as described here: https://docs.astral.sh/uv/configuration/authentication/#authentication-with-alternative-package-indexes

baszalmstra avatar Sep 05 '24 06:09 baszalmstra

@zen-xu As a workaround you could try setting the SSL_CERT_FILE and/or SSL_CLIENT_CERT environment variables as described here: https://docs.astral.sh/uv/configuration/authentication/#authentication-with-alternative-package-indexes

Are you sure that these are read from our library calls as well, some env variables uv reads from the command line modules only

tdejager avatar Sep 05 '24 06:09 tdejager

This works

zen-xu avatar Sep 05 '24 06:09 zen-xu

Also running into the same thing, corporate MITM cert not getting respected by pixi when I use a pyproject file.

$ pixi init --pyproject
$ pixi add crane
  × default: error installing/updating PyPI dependencies
  ├─▶ Failed to prepare distributions
  ├─▶ Failed to fetch wheel: wow @ file:///private/tmp/wow
  ├─▶ Failed to install requirements from build-system.requires (resolve)
  ├─▶ No solution found when resolving: hatchling
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://pypi.org/simple/hatchling/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

If I use a regular pixi.toml file this bug doesn't occur, so I agree it's due to uv changes rather than the switch to rustls-tls

benmoss avatar Sep 13 '24 14:09 benmoss

Yes, I need to map the trusted-hosts feature from uv to our codebase, just need to think of a good spot in the pixi.toml for it. I'll try to get to in next week.

tdejager avatar Sep 13 '24 14:09 tdejager

Also running into the same thing, corporate MITM cert not getting respected by pixi when I use a pyproject file.

$ pixi init --pyproject
$ pixi add crane
  × default: error installing/updating PyPI dependencies
  ├─▶ Failed to prepare distributions
  ├─▶ Failed to fetch wheel: wow @ file:///private/tmp/wow
  ├─▶ Failed to install requirements from build-system.requires (resolve)
  ├─▶ No solution found when resolving: hatchling
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://pypi.org/simple/hatchling/)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

If I use a regular pixi.toml file this bug doesn't occur, so I agree it's due to uv changes rather than the switch to rustls-tls

@benmoss in this case you get the MITM cert instead of the one from https://pypi.org right :)?

tdejager avatar Sep 16 '24 09:09 tdejager

This works

@zen-xu Could you please add some detail how you made this work exactly? I tried adding SSL_CERT_FILE but it seems to have no effect. So maybe I am doing it wrong. To see your solution would be very helpful. Thanks

markusschlenker avatar Nov 26 '24 09:11 markusschlenker

@markusschlenker I guess you probably forgot to add export

export SSL_CERT_FILE=/etc/ssl/certs/ca-certification.crt
pixi install

zen-xu avatar Nov 27 '24 05:11 zen-xu

@zen-xu Thank you for the reply. I work on Windows and tried the following:

> set SSL_CERT_FILE="C:\Users\myname\.cert\ca_bundle.pem"
> pixi install
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
  ⠂ default:win-64       [00:00:03] resolving pypi dependencies
  x failed to solve the pypi requirements of 'default' 'win-64'
  |-> failed to resolve pypi dependencies
  |-> Failed to fetch: `https://nexus/repository/py-pypi/simple/imohash/`
  |-> Request failed after 3 retries
  |-> error sending request for url (https://nexus/repository/py-pypi/simple/imohash/)
  |-> client error (Connect)
  `-> invalid peer certificate: UnknownIssuer

markusschlenker avatar Nov 27 '24 10:11 markusschlenker

@markusschlenker I'm sorry, I'm not very familiar with Windows; perhaps you can wait for #2521 to be merged to solve this issue

zen-xu avatar Nov 29 '24 02:11 zen-xu

still an issue for me with pixi 0.39

C:\Users\myname\pixi\test-dump>pixi -V
pixi 0.39.0

C:\Users\myname\pixi\test-dump>pixi install --tls-no-verify
 WARN TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
  ⠄ default:win-64       [00:00:01] resolving pypi dependencies
  x failed to solve the pypi requirements of 'default' 'win-64'
  |-> failed to resolve pypi dependencies
  |-> Failed to fetch: `https://nexus/repository/py-pypi/simple/imohash/`
  |-> Request failed after 3 retries
  |-> error sending request for url (https://nexus/repository/py-pypi/simple/imohash/)
  |-> client error (Connect)
  `-> invalid peer certificate: UnknownIssuer

[project]
authors = [""]
channels = [
	"https://nexus/repository/py-conda-forge",
	"https://nexus/repository/bioconda",
]
description = "Add a short description here"
name = "main-py3.12"
platforms = ["win-64"]
version = "0.1.0"
conda-pypi-map = { "https://nexus/repository/py-conda-forge" = "file:///C:/Users/myname/.pixi/conda-pypi-map_prefix-dev_parselmouth_compressed_mapping.json" }

[pypi-options]
index-url = "https://nexus/repository/py-pypi/simple"


[tasks]

[dependencies]
python = ">=3.12.0,<3.13"

[pypi-dependencies]
imohash = "*"

markusschlenker avatar Dec 06 '24 12:12 markusschlenker

@markusschlenker This will be fixed in the next version

zen-xu avatar Dec 09 '24 02:12 zen-xu

@zen-xu still seems to not be working with pixi 0.40.2

Do I need to configure it separately in pixi.toml ?

markusschlenker avatar Jan 21 '25 12:01 markusschlenker

@markusschlenker You should configure it in ~/.pixi/config.toml

zen-xu avatar Jan 22 '25 02:01 zen-xu

@zen-xu thanks, I got it to work now. Turns out I stored config.toml in a directory not valid on Windows but only on Linux (%USERPROFILE%.config\pixi\config.toml). After moving it to %USERPROFILE%.pixi\config.toml it works.

markusschlenker avatar Jan 24 '25 09:01 markusschlenker