We have been running pypiserver for some time now using the Docker image, and we are on the latest version (1.5.0). We have HTTPS enabled on port 443 with a certificate signed by GoDaddy, which as you can see below, is valid when visiting the site.

For some reason, I'm getting the following error trying to upload. The server-side config hasn't changed aside from updating to the latest version to see if that'd help, and the Docker Compose output doesn't print anything when this failure occurs.

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)>
error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)>

The only thing I can think of that's changed is that the package tarball has become a bit large at 61 MB, but other than that, I don't know why we're seeing this error on all of our machines. The environment at hand is summarized in the table below.

Currently, we are using sdist, but the same failure occurs with twine. Last of all, I can work around this by adding the following to my setup.py, but I would prefer not to introduce that sketchiness into production.

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

Okay, there's definitely something funny with our OpenSSL install, because when I do openssl s_client -connect [SITE]:443 on the system installed version under /usr/bin, it doesn't kick back that it's self-signed. I'll keep this open to see if anyone might have a suggestion, but feel free to close as I'm pretty sure this mess is of my own doing and unrelated to this project.

Final update. I found out Amazon Linux 2 has OpenSSL packages openssl11* that are compatible with Python 3.10.x. Should anyone care, before configuring Python, you want to point it to openssl11 via

sed -i 's/PKG_CONFIG openssl /PKG_CONFIG openssl11 /g' configure