Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for CURL_CA_BUNDLE_AUTODETECT #835

Closed
kurtseifried opened this issue Mar 1, 2024 · 3 comments
Closed

Add support for CURL_CA_BUNDLE_AUTODETECT #835

kurtseifried opened this issue Mar 1, 2024 · 3 comments

Comments

@kurtseifried
Copy link

kurtseifried commented Mar 1, 2024
edited

Prior to creating an issue, please review the troubleshooting documentation:
http://pycurl.io/docs/dev/troubleshooting.html

What did you try to do?

Load https://seifried.org

What happened?

pycurl.error: (77, 'error setting certificate verify locations:\n CAfile: /etc/pki/tls/certs/ca-bundle.crt\n CApath: none')

What did you expect to happen?

Load website

What is the PycURL version?

pycurl.version
'PycURL/7.45.3 libcurl/7.61.1 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.6/openssl/zlib nghttp2/1.33.0'

What is your Python version?

(output of python -V)
python3 -V
Python 3.10.12

What is your operating system and its version?

cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"

SUGGESTED SOLUTION:

curl supports a CURL_CA_BUNDLE_AUTODETECT

https://github.com/curl/curl/blob/9e2ee704940e4e8ba38ba770b86a79ec091990bf/CMakeLists.txt#L999

so if this option could be supported in PycURL, so we can use it natively, e.g.:

c.setopt(c.CURL_CA_BUNDLE_AUTODETECT, True)

QUICK WAY TO FIX IN YOUR PYTHON CODE (basically recreate the function):

        self.ca_bundle_path = self.find_ca_bundle([
            '/etc/ssl/certs/ca-certificates.crt',
            '/etc/pki/tls/certs/ca-bundle.crt',
            '/etc/ssl/ca-bundle.pem',
            '/etc/pki/tls/cacert.pem',
            '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
            '/etc/ssl/cert.pem',
        ])
        if not self.ca_bundle_path:
            sys.exit("No CA bundle found. SSL certificate verification might fail. Exiting.")

and then later on:

        c.setopt(c.CAINFO, self.ca_bundle_path)
@swt2c
Copy link
Contributor

swt2c commented Mar 1, 2024

Presumably you're using the pycurl wheel (and you didn't compile pycurl yourself)?

Unfortunately CURL_CA_BUNDLE_AUTODETECT appears to be a compile-time option, not a runtime option, so I don't think it would be helpful in this case.

@kurtseifried
Copy link
Author

Correct, pip3 install.

Can I suggest changing the documentation of the error message perhaps to mention "CURL_CA_BUNDLE_AUTODETECT"? If you google "CURL_CA_BUNDLE_AUTODETECT" there's just over 1000 hits, if you google the error message there are 5000+. And/or the documentation can be updated to include the above code snippet which basically replicates CURL_CA_BUNDLE_AUTODETECT in the same way curl looks for the files.

@swt2c
Copy link
Contributor

swt2c commented Mar 1, 2024

This is really a bug with the wheel that I haven't figured out how to solve yet. The problem is that manylinux_2_28 wheels are build using AlmaLinux 8, which has a different default CA path that Debian/Ubuntu systems.

I'm going to close this as a duplicate of #834.

@swt2c swt2c closed this as not planned Won't fix, can't repro, duplicate, stale Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kurtseifried @swt2c