CERTIFICATE_VERIFY_FAILED on Upload
herter4171 opened this issue · comments
We have been running pypiserver
for some time now using the Docker image, and we are on the latest version (1.5.0). We have HTTPS enabled on port 443 with a certificate signed by GoDaddy, which as you can see below, is valid when visiting the site.
For some reason, I'm getting the following error trying to upload. The server-side config hasn't changed aside from updating to the latest version to see if that'd help, and the Docker Compose output doesn't print anything when this failure occurs.
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)>
error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)>
The only thing I can think of that's changed is that the package tarball has become a bit large at 61 MB, but other than that, I don't know why we're seeing this error on all of our machines. The environment at hand is summarized in the table below.
Tool | Version | Note |
---|---|---|
OS | Amazon Linux 2 | |
OpenSSL | 1.1.1o | Built from source to /usr/local |
Python | 3.10.4 | Built from source to /usr/local using above OpenSSL |
Setup Tools | 58.1.0 |
Currently, we are using sdist
, but the same failure occurs with twine
. Last of all, I can work around this by adding the following to my setup.py
, but I would prefer not to introduce that sketchiness into production.
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
Okay, there's definitely something funny with our OpenSSL install, because when I do openssl s_client -connect [SITE]:443
on the system installed version under /usr/bin
, it doesn't kick back that it's self-signed. I'll keep this open to see if anyone might have a suggestion, but feel free to close as I'm pretty sure this mess is of my own doing and unrelated to this project.
Final update. I found out Amazon Linux 2 has OpenSSL packages openssl11*
that are compatible with Python 3.10.x. Should anyone care, before configuring Python, you want to point it to openssl11
via
sed -i 's/PKG_CONFIG openssl /PKG_CONFIG openssl11 /g' configure