How to run uv behind a corporate proxy?

[NiklasRosenstein]

Our corporate proxy inspects traffic and thus inserts its own certificate that has to be configured to trust across applications on the system. I do this by setting REQUESTS_CA_BUNDLE and SSL_CERT_FILE, etc. It seems that uv doesn't respect either of those. Is there another environment variable that it takes into account?

error: error sending request for url (https://pypi.org/simple/protobuf/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer

[nevoodoo]

Run into the same problem here, both those variables are not respected by uv but works fine with pip, pipenv

EDIT: I see the discussion is already open in #1339

[kvelicka]

#1339 seems like a near-duplicate but I think it's important to distinguish "treat this host as trusted" and "verify the trustworthiness of this host, but using a user-specified certificate". For a corporate environment the latter option is much prefereable as we'd rather not compromise on security. Having said that, resolving #1339 would allow corporate users to at least try uv in earnest so it would be some progress!

[j-baker]

This might have a much simpler solution - basically, if you changed your reqwest feature flag from rustls-tls (which means rustls-tls-webpki-roots) to rustls-tls-native-roots, it'd use the operating system's truststore (which corporate certs are typically added to), as well as using SSL_CERT_FILE and other standard config mechanisms.

https://github.com/seanmonstar/reqwest/blob/master/Cargo.toml#L44
https://github.com/rustls/rustls-native-certs

[zanieb]

I actually made this exact change in #609 but it didn't get merged, we'll reconsider.

[c3pmark]

This would be very useful for me too. We don't have a proxy that intercepts HTTPS, but we do use an internal index with a certificate signed by our internal CA. Having to specify REQUESTS_CA_BUNDLE everywhere is a huge pain point with pip, so if the system trust store could be used that would save a ton of hassle.

[carlosjourdan]

I'm still facing the same issue on version 0.1.11

Corporate network with ssl inspection firewall, custom ca on every site. Root certificate is trusted by windows, and environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE are setup. Python requests work fine. Pip install as well. uv fails with error below.

error: error sending request for url (https://pypi.org/simple/zeep/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer

[dorschw]

in WSL, running windows-certs-2-wsl, update-ca-certificates, then

export SSL_CERT_DIR=/etc/ssl/certs
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

did the trick.

[a087861]

Following as I am in a similar boat :-/

On mac with apple silicon behind proxy. Tried running uv venv -p 3.8 which resulted in an 'invalid peer certificate' error. I think this is due to the same thing that affects others in this discussion but certs aren't my forte so I may be wrong.

[zanieb]

@a087861 try using the --native-tls flag

[a087861]

@zanieb that worked like a charm - thanks!