Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLCertVerificationError with self-signed certificates #23

Closed
mrtnbrst opened this issue Oct 4, 2023 · 6 comments
Closed

SSLCertVerificationError with self-signed certificates #23

mrtnbrst opened this issue Oct 4, 2023 · 6 comments

Comments

@mrtnbrst
Copy link

mrtnbrst commented Oct 4, 2023

The current version of requests does not allow disabling the verification of the SSL certificats globally. In prior versions this behaviour could be set with an environment variable. Now you have to use the verify=False argument: https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification.
The verification can fail in case of self-signed certificates (psf/requests#6074).

I'm facing this issue when using the package conda-lock, which has the ensureconda package as a dependency: conda/conda-lock#519.

What do you think about adding a flag to the CLI?
I can add a PR, but I am still unsure about the name of the CLI argument.
@maresb suggested --insecure-skip-tls-verify for the conda-lock project.

Any objections to adding such an argument to this project?
@maresb
Copy link
Collaborator

maresb commented Oct 4, 2023

Thanks @mrtnbrst for moving this forward! I'm a bit confused about your use case though.

I thought that you wanted to use self-signed repositories. What's preventing you from using TLS when downloading Conda/Mamba? Or are you working in an entirely offline environment where you need to mock all external services?

@mrtnbrst
Copy link
Author

mrtnbrst commented Oct 4, 2023
edited
Loading

Thanks @mrtnbrst for moving this forward! I'm a bit confused about your use case though.

I thought that you wanted to use self-signed repositories. What's preventing you from using TLS when downloading Conda/Mamba? Or are you working in an entirely offline environment where you need to mock all external services?

I'm working online from within a company network. My company as many others uses self-signed certificates in combination with an intercepting / filtering HTTPS proxy.

For pip / conda / npm / poetry or similar tools there is a setting for disabling such certificate checks.

This python-poetry/poetry#1556 solved poetry issue describes exactly the same problem and the solution to apply.

@maresb
Copy link
Collaborator

maresb commented Oct 4, 2023

If your company has the infrastructure to have an intercepting and filtering HTTPS proxy, then I would expect that you should be setting REQUESTS_CA_BUNDLE to the CA for your company's self-signed certificates. Is there something preventing you from doing that?

How do you configure web browsers in the company? Do you disable TLS verification in the web browser as well?

@mrtnbrst
Copy link
Author

mrtnbrst commented Oct 4, 2023

The browser is managed by the infrastructure staff and comes with the certificates already configured
I didn't consider setting this before, I guess I have to try it out.

@maresb
Copy link
Collaborator

maresb commented Oct 4, 2023

I think that will be both more secure and way easier. In case that doesn't work then let me know and we can figure out some alternative.

@mrtnbrst
Copy link
Author

I didn't manage to get it to work with certificates.
It works from the home office which is good enough for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maresb @mrtnbrst