Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
For HTTP indexes, Pip complains that trusted host should be sans-port. However, using port doesn't work for HTTPS indexes, throwing an SSL error.
How to Reproduce
$ pip install -i http://localtest.me:5000 urllib3 --trusted-host localtest.me:5000 Looking in indexes: http://localtest.me:5000 Collecting urllib3 The repository located at localtest.me is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host localtest.me'. Could not find a version that satisfies the requirement urllib3 (from versions: ) No matching distribution found for urllib3
$ pip install -i https://localtest.me:8088 urllib3 --trusted-host localtest.me Looking in indexes: https://localtest.me:8088 Collecting urllib3 Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))': /urllib3/
@cjerdonek I am curious about the reason why w/o port is preferred over the other.
From a rough digging into the code, I found that an insecure host is bypassed using the requests'
At that point, we don't know the exact port of the host, if no port is provided through
Therefore, it is more straightforward to always use host with port. But I am also OK with the decisions made by maintainers if you insist. I am glad to send a PR then.
I wasn't expressing a preference but rather just making a suggestion to start talking about possible solutions. There are a couple factors that seem important: (1) Is the port looked at when using