Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

does maturin build --target x86_64-pc-windows-msvc support custom CA ? #1836

Closed
1 of 2 tasks
Owen-CH-Leung opened this issue Nov 3, 2023 · 4 comments
Closed
1 of 2 tasks

does maturin build --target x86_64-pc-windows-msvc support custom CA ? #1836

Owen-CH-Leung opened this issue Nov 3, 2023 · 4 comments
Labels
bug Something isn't working upstream Upstream issue

Comments

@Owen-CH-Leung
Copy link
Contributor

Bug Description

I've been trying to use the official maturin docker image v1.3.0 to cross compile my projects into python wheels. We're required to use a custom CA so I've already copied my custom .crt file into /etc/pki/tls/certs and run update-ca-trust accordingly.

While maturin build --compatibility manylinux_2_28 works well, maturin build --target x86_64-pc-windows-msvc always return the following error :

Error:
Connection failed: tls connection init failed: invalid peer certificate: UnknownIssuer

I digged a bit deeper and notice that when building a x86_64-pc-windows-msvc target, it will reach out to the domain https://aka.ms to download the Microsoft CRT

https://github.com/Jake-Shadle/xwin/blob/main/src/manifest.rs#L119

And I'm sure that network wise, this site is always reachable (proven by the fact that curl -L --cacert to the website returns a valid content)

I've already set all the env variables that I can find online (namely: MATURIN_CA_BUNDLE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, CARGO_HTTP_CAINFO, SSL_CERT_FILE) to point to the custom cert but still no luck solving the unknownIssuer error.

How should I set the process maturin build --target x86_64-pc-windows-msvc to use a custom CA ? Or is it not supported yet due to downstream crates not supporting this ?

Your maturin version (maturin --version)

0.13.0

Your Python version (python -V)

3.7.17

Your pip version (pip -V)

22.3.1

What bindings you're using

pyo3

Does cargo build work?

  • Yes, it works

If on windows, have you checked that you aren't accidentally using unix path (those with the forward slash /)?

  • Yes

Steps to Reproduce

Unfortunately I'm not sure how to reproduce this exact same error since I'm getting this error in a private network with several proxy in place. But perhaps you can run the docker image inside an isolated network, create a custom CA cert and tune your network set up so that curl to the domain https://aka.ms will fail unless you supply this custom CA cert
@Owen-CH-Leung Owen-CH-Leung added the bug Something isn't working label Nov 3, 2023
@messense
Copy link
Member

messense commented Nov 3, 2023

Does it work outside of docker container?

@Owen-CH-Leung
Copy link
Contributor Author

Just tested. Also didn't work on a linux machine

@messense
Copy link
Member

messense commented Nov 4, 2023

I'm afraid I won't be able to fix it if you can't provide a detailed steps to reproduce since it requires very specific environment to trigger the issue.

Pull requests are welcome if you can get it fixed, I think you'd have to fix it in xwin first then we can update the dependency version in maturin.

@messense messense added upstream Upstream issue help wanted Extra attention is needed labels Nov 4, 2023
This was referenced Nov 4, 2023
Closed
Merged
@messense
Copy link
Member

cargo-xwin was updated to 0.15.0 in #1847, you can try the docker image using ghcr.io/pyo3/maturin:main.

@messense messense removed the help wanted Extra attention is needed label Nov 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working upstream Upstream issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@messense @Owen-CH-Leung