-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Included cacert.pm doesn't contain current pypi.python.org CA certificate #2130
Comments
Hm, this doesn't make any sense. If the cacert.pem didn't include most everyone would be broken. Also PyPI's root certificate is:
and this is in the cacert.pem bundle for 1.5.6: https://github.com/pypa/pip/blob/1.5.6/pip/_vendor/requests/cacert.pem#L1896-L1925 It sounds like something might have gotten corrupted with your pip install maybe? |
Indeed the root CA seems to be there. I wonder why curl is failing as well, then, with the pip/requests cacert.pem but not with system certificates. Will investigate. |
This might be some kind of PEM file size limit on my OpenSSL library. |
Couldn't find root cause. Unable to do a custom build of OpenSSL. OpenSSL appears to load all the CA certificates, but for some reason verification fails when there are over 150 of them. |
I can verify that the ca-bundle seems to be to big... python -c "import requests; r = requests.get('https://pypi.python.org/');" python -c "import requests; r = requests.get('https://pypi.python.org/');" If I remove some entries off the top: python -c "import requests; r = requests.get('https://pypi.python.org/');" python -c 'import requests; print(requests.certs.where())' python -c "import ssl; print ssl.OPENSSL_VERSION" I am using SuSE Enterprise Linux SP3, so unfortunately the included OpenSSL is not very up to date :-/ Just to clarify, even with the latest pip installed it does not work. To fix this I need to create another CA bundle. And then set this before running pip: also pip --cert cacert-fixed.pem would work (if it's less than 150 I believe). |
Indeed my issues were on SLES11SP3 as well. I tried to find the cause of the limit in OpenSSL, but didn't get very far. |
+1
The error is:
|
@bitliner what OS are you running this under? |
debian - jessie. |
Or let's change question: which are the OS where it works normally? |
Furthermore: locally it works, when I run it on Amazon AWS, it stops to work. It could be an issue related to AWS |
@bitliner try to install ca-certificates package first and try again. |
My problem was slightly different. It looks like the https://pypi.python.org/simple/ certificate was renewed in June 2016, so if the date of your OS is prior to that date, you'll have problems validating the certificate, no matter if the proper CA certs are installed. |
It appears that the cacert.pem bundled in pip 1.5.6 (through requests) doesn't contain current pypi.python.org CA certificate:
Curl by default uses system certificates, and with curl, pypi works:
Curl with pip CA certificates fails:
The text was updated successfully, but these errors were encountered: