Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL CA certificate information to `pip debug` #7146

Closed
chrahunt opened this issue Oct 6, 2019 · 5 comments · Fixed by #7216
Closed

Add SSL CA certificate information to `pip debug` #7146

chrahunt opened this issue Oct 6, 2019 · 5 comments · Fixed by #7216

Comments

@chrahunt
Copy link
Member

@chrahunt chrahunt commented Oct 6, 2019

What's the problem this feature will solve?

As described in #6720 (comment), pip may be using several sources of information for the CA certificate bundle to use for HTTPS requests. This makes it hard to debug user issues.

Describe the solution you'd like

In the output of pip debug we should include:

  • the cert setting from the highest-priority pip configuration file (and the configuration file path) - on second thought the location doesn't matter much
  • os.environ.get('REQUESTS_CA_BUNDLE')
  • os.environ.get('CURL_CA_BUNDLE')
  • pip._vendor.certifi.where()

This will provide insight into the CA certificate bundle in use for a given request, which can then be used in instructions to the user in conjunction with curl/openssl to submit an HTTP request independent of pip and rule out pip-specific issues.

Alternative Solutions

Do nothing.

Additional context

@Pachwenko

This comment has been minimized.

Copy link
Contributor

@Pachwenko Pachwenko commented Oct 14, 2019

I think I can handle this one, but how would one get the highest-priority pip configuration file?

I see:

class Configuration(object):
but it doesn't seem to know which file is highest priority

@pradyunsg

This comment has been minimized.

Copy link
Member

@pradyunsg pradyunsg commented Oct 14, 2019

Discussed this in person at PyCon India sprints.

Noting here for myself, that the suggested approach makes sense, since our configuration is cascading in a manner not handled by Configuration.

@chrahunt

This comment has been minimized.

Copy link
Member Author

@chrahunt chrahunt commented Oct 14, 2019

@Pachwenko I don't have the answer offhand, but if you want to do the others that would be totally fine. We can check them off in the original post as they get completed.

@pradyunsg

This comment has been minimized.

Copy link
Member

@pradyunsg pradyunsg commented Oct 15, 2019

@chrahunt I think it's best to leave the "get highest level file" details to a follow up PR since we'd need to keep track of more details than we're exposing publicly from the Configuration object currently.

@chrahunt

This comment has been minimized.

Copy link
Member Author

@chrahunt chrahunt commented Oct 15, 2019

Agreed, that's what I was implying in my comment (in case it wasn't clear). 👍

@lock lock bot added the S: auto-locked label Nov 16, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Nov 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.