Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add requests_ca_bundle to settable_env_vars #10909

Merged
merged 2 commits into from
Oct 5, 2020
Merged

add requests_ca_bundle to settable_env_vars #10909

merged 2 commits into from
Oct 5, 2020

Conversation

thamenato
Copy link
Member

@thamenato thamenato commented Oct 5, 2020
edited
Loading

Problem

If the user has a proxy set with http_proxy and https_proxy and the proxy uses a self-signed certificate you might still get invalid SSL Cert errors when the subprocess tries to get the packages externally.

  Complete output (10 lines):
  Looking in indexes: https://pypi.org/simple/
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/setuptools/
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/setuptools/
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/setuptools/
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/setuptools/
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/setuptools/
  Could not fetch URL https://pypi.org/simple/setuptools/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/setuptools/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) - skipping
  ERROR: Could not find a version that satisfies the requirement setuptools>=41.0 (from versions: none)
  ERROR: No matching distribution found for setuptools>=41.0
  Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) - skipping

Solution

Allow the user to pass the REQUESTS_CA_BUNDLE environment variable that points to the self-signed certificate.

@coveralls
Copy link

coveralls commented Oct 5, 2020
edited
Loading

Coverage Status

Coverage remained the same at 0.0% when pulling c37ee09 on thamenato:ssl-to-settable-env-vars into 923f461 on pantsbuild:master.

@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020

Thanks @thamenato.

@jsirois jsirois merged commit ec9f266 into pantsbuild:master Oct 5, 2020
benjyw
benjyw approved these changes Oct 5, 2020
View reviewed changes
Copy link
Contributor

@benjyw benjyw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @thamenato !

@benjyw
Copy link
Contributor

benjyw commented Oct 5, 2020

@thamenato Can you clarify which process needed this env var set?

@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020

I assumed it had to be all PEX creation processes since those are the ones that use Pip which uses requests to do index scans and downloads.

@benjyw
Copy link
Contributor

benjyw commented Oct 5, 2020

That's what I was imagining, but then why didn't this suffice? #10837

@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020
edited
Loading

Hrm.

I just tested Pex directly on the CLI and using a relative path for --cert (as #10837 does) works; i:e: it gets plumbed through to the Pip command as revealed with -vvv and if the --cert passed does not exist or exists but is bogus (I used a copy of /etc/hosts), Pip fails.

@thamenato can provide more detailed output in a new issue? Perhaps modify the previously failing Pants command to use: ./pants -ldebug --pex-verbosity=9 ....

@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020

Aha! Plugins. @thamenato I'm guessing you have "setuptools>=41.0" in your plugins list in pants.toml.

@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020

Fix is here: #10910

jsirois added a commit to jsirois/pants that referenced this pull request Oct 5, 2020
@jsirois
Revert pantsbuild#10909 which was a bandaid.
5355712 
Also add in note about confusing proxy env var spellings.

# Rust tests and lints will be skipped. Delete if not intended.
[ci skip-rust]

# Building wheels and fs_util will be skipped. Delete if not intended.
[ci skip-build-wheels]
@jsirois jsirois mentioned this pull request Oct 5, 2020
Merged
@jsirois
Copy link
Contributor

jsirois commented Oct 5, 2020

#10910 was not the fix for this issue, but with @thamenato's help this is getting narrowed down over here: pex-tool/pex#1058

@Eric-Arellano Eric-Arellano mentioned this pull request Oct 11, 2020
Merged
Eric-Arellano added a commit that referenced this pull request Oct 12, 2020
@Eric-Arellano
Prepare 2.0.0rc0 (#10943)
969c8dc 
Internal only changes left off from the changelog:

* Use cpython types in Rust functions that manipulate python objects (#10942)
  `PR #10942 <https://github.com/pantsbuild/pants/pull/10942>`_

* update libz-sys version to fix macOS compile error (#10941)
  `PR #10941 <https://github.com/pantsbuild/pants/pull/10941>`_

* Upgrade to Rust stable 1.47.0. (#10933)
  `PR #10933 <https://github.com/pantsbuild/pants/pull/10933>`_

* Finish CreateDigest Directory cleanup. (#10935)
  `PR #10935 <https://github.com/pantsbuild/pants/pull/10935>`_

* Hotfix broken import from merge conflict (#10934)
  `PR #10934 <https://github.com/pantsbuild/pants/pull/10934>`_

* Revert "Port nailgun client to rust (#10865)" (#10929)
  `PR #10929 <https://github.com/pantsbuild/pants/pull/10929>`_

* An ExternalTool for downloading the grpc_python_plugin. (#10927)
  `PR #10927 <https://github.com/pantsbuild/pants/pull/10927>`_

* Port nailgun client to rust (#10865)
  `PR #10865 <https://github.com/pantsbuild/pants/pull/10865>`_

* print stacktraces during import errors (#10906)
  `PR #10906 <https://github.com/pantsbuild/pants/pull/10906>`_

* fs.Digest is declared in Rust (#10905)
  `PR #10905 <https://github.com/pantsbuild/pants/pull/10905>`_

* add requests_ca_bundle to settable_env_vars (#10909)
  `PR #10909 <https://github.com/pantsbuild/pants/pull/10909>`_

[ci skip-rust]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjyw benjyw benjyw approved these changes

@jsirois jsirois jsirois approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thamenato @coveralls @jsirois @benjyw