Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls_verify and tls_cacerts config options are not applied to requests in ImageDownloader #11715

Closed
ntouran opened this issue Oct 9, 2023 · 0 comments
Closed

tls_verify and tls_cacerts config options are not applied to requests in ImageDownloader #11715

ntouran opened this issue Oct 9, 2023 · 0 comments
Labels
internals:other type:bug

Comments

@ntouran
Copy link
Contributor

ntouran commented Oct 9, 2023
edited

Describe the bug

The tls_verify and tls_cacerts configuration options are not applied to the requests call involved in the ImageDownloader. Thus, any configuration you set with those settings does not apply as expected during a build that involves downloading images. An example is if you're doing a make latex for source that refers to external images.

I've identified that the problem in the code is here:

sphinx/sphinx/transforms/post_transforms/images.py

Line 78 in bb74aec

r = requests.get(node['uri'], headers=headers)

c.f. where they are applied here:

sphinx/sphinx/ext/intersphinx.py

Lines 138 to 140 in bb74aec

r = requests.get(url, stream=True, timeout=config.intersphinx_timeout,
_user_agent=config.user_agent,
_tls_info=(config.tls_verify, config.tls_cacerts))

I have a pull request in the works that fixes this.

This is, in essence, a needed follow-up to #3156.

How to Reproduce

  • set tls_verify = False in conf.py
  • Self-sign a certificate to a server
  • Refer to an image on that server by https:// URL in ReST
  • run make latex

Observe error:

WARNING: Could not fetch remote image: https://self-signed.exampleserver.tld/user/174/files/978909e4-d1eb-422e-8be2-daf9c2fa9280 [HTTPSConnectionPool(host='self-signed.exampleserver.tld', port=443): Max retries exceeded with url: /user/174/files/978909e4-d1eb-422e-8be2-daf9c2fa9280 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))]

Environment Information

Platform:              win32; (Windows-10-10.0.19042-SP0)
Python version:        3.11.4 (tags/v3.11.4:d2340ef, Jun  7 2023, 05:45:37) [MSC v.1934 64 bit (AMD64)])
Python implementation: CPython
Sphinx version:        7.3.0+/bb74aec2b
Docutils version:      0.20.1
Jinja2 version:        3.1.2
Pygments version:      2.16.1

Sphinx extensions

No response

Additional context

My particular use case where this is coming up is that I have some .md files with image Markdown in them pointing to external URLs, and when those come via myst_parser into sphinx and out to LaTeX, I'm seeing unexpected certificate errors.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
internals:other type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AA-Turner @picnixz @ntouran