install.python-poetry.org icon indicating copy to clipboard operation
install.python-poetry.org copied to clipboard
verified publisher icon python-poetry

get-poetry.py works, but install-poetry fails with certificate errors on Ubuntu 20.04 LTS

Open jmichiel opened this issue 3 years ago • 3 comments

Hi,

I'm behind a corporate SSL-inspecting firewall with our own certificates. I have them installed properly on my machine (with update-ca-certificates). cURL works on HTTPS sites, and installing poetry via get-poetry.py works. However, trying to install it via the newer install-poetry throws SSL errors:

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': /simple/poetry/ WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': /simple/poetry/ WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': /simple/poetry/ WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': /simple/poetry/ WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))': /simple/poetry/ Could not fetch URL https://pypi.org/simple/poetry/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/poetry/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))) - skipping ERROR: Could not find a version that satisfies the requirement poetry==1.1.13 (from versions: none) ERROR: No matching distribution found for poetry==1.1.13 Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)'))) - skipping WARNING: There was an error checking the latest version of pip.

I set the certificate folder to REQUESTS_CA_BUNDLE (although I don't think requests is being used) I even added our certificates to the certifi cert bundle file, but no luck... This one has me completely stumped, since get-poetry works fine and both seem to use urllib... Corporate SSL inspection is such a PITA for python...

jmichiel avatar Jun 23 '22 09:06 jmichiel

Sounds like we're in a similar situation. I was trying to set up a containerized poetry development environment, and none of the usual tricks that I've used in the past were letting me get past this step.

I followed the source code and saw that the new installer seems to create its own virtual pip environment (I may not 100% understand what it's doing, though), so I figured the best way to solve this issue was with environment variables much like you tried with the REQUESTS_CA_BUNDLE.

There are lots of cert-related pip env variables, but the one that worked for me was PIP_CERT. I put our corporate certs in /usr/local/share/ca-certificates, run update-ca-certificates, and point PIP_CERT to the cert file that contains the resulting bundle: PIP_CERT=/etc/ssl/certs/ca-certificates.crt. This won't work for a Windows machine, though, so you'll need to find a way to obtain a similar bundled cert file and point PIP_CERT to it.

I also set REQUESTS_CA_BUNDLE to point to the same path.

Hope this helps!

johnmwalker avatar Sep 07 '22 15:09 johnmwalker

how to run update-ca-certificates ? which package I should install please> Im on Macbook pro mid-2015, since the Monterey 12.6.1 version when I run poetry shell , I have this error:

HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/poethepoet/ (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4123)')))

please help 🙏 , I am getting crazy :-/

igorms-pro avatar Nov 16 '22 15:11 igorms-pro

Having the same issue on TailsOS which runs all traffic through TOR

ghost avatar Feb 28 '23 17:02 ghost