Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

SSL verification failed during install #3

Open
k4ml opened this Issue · 6 comments

2 participants

@k4ml
Owner

On freshly launched digital ocean droplet of Ubuntu 12.04 x64 image:-

python pip.zip install Django
Downloading/unpacking Django
  Could not fetch URL https://pypi.python.org/simple/Django/: There was a problem confirming the ssl certificate: <urlopen error [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>
  Will skip URL https://pypi.python.org/simple/Django/ when looking for download links for Django
  Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>
  Will skip URL https://pypi.python.org/simple/ when looking for download links for Django
  Cannot fetch index base URL https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/Django/: There was a problem confirming the ssl certificate: <urlopen error [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib>
  Will skip URL https://pypi.python.org/simple/Django/ when looking for download links for Django
  Could not find any downloads that satisfy the requirement Django
Cleaning up...
No distributions at all found for Django
@k4ml
Owner

Test with properly installed pip and upgraded to latest version seem does not have an issue so this is not related to Ubuntu or openssl library:-

sudo apt-get install python-virtualenv
virtualenv test-pip
cd test-pip
./bin/pip --version
pip 1.1 from /home/kamal/testpip/lib/python2.7/site-packages/pip-1.1-py2.7.egg (python 2.7)
./bin/pip install -U pip
./bin/pip --version
pip 1.4.1 from /home/kamal/testpip/lib/python2.7/site-packages (python 2.7)
./bin/pip install Django

Above was succeeded. So pip-1.4.1 does not has any issue on Ubuntu 12.04_x64. Probably we still missing some files to be included in the zip.

@vsajip

It's the cacert.pem file, but you'll need to do more than just add it to the zip. The code which validates certs (not part of pip - it's in Python) expects to be passed a path to the certs file, and won't work with the cacert.pem in the .zip.

@k4ml
Owner

Try with using pkg_resources.resource_filename but got resource_filename() only supported for .egg, not .zip. Searching around found similar issue with dropbox client but the workaround mentioned work because it ship python executable and the cert file placed outside library.zip, next to the interpreter executable I guess.

I guess this is dead-end by now, until pip drop cacert.pem usage.

@vsajip

Yes, I believe it's a dead end, unless changes are made to pip :-(

@k4ml
Owner

Since we can still read the file content using pkg_resources.resource_string, I wrote the cert content to temp file and passing that file path instead. Do you think there's an issue with this, security wise maybe ?

@vsajip

Not particularly (assuming the file will be extracted from the zip everytime), but I believe you will run into other problems due to pip's design. For example, pip specifically searches for installed "pip" (!!!) and "setuptools" distributions, and will not work as expected if they're not there, and use them (rather than what's in the zip) if they are there. See this post and this pip issue I raised.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.