Modified the code and added user notification about Python certificat…#354
Modified the code and added user notification about Python certificat…#354kripken merged 1 commit intoemscripten-core:masterfrom
Conversation
|
@kripken Updated and ready for review |
emsdk.py
Outdated
| # Modified code to inform solution for common "...[SSL: CERTIFICATE_VERIFY_FAILED] ..." on Mac and | ||
| # "<urlopen error unknown url type: https>" on Linux | ||
| # Error results in issues raised for similar problem: #133 #136 #140 #176 #6275 #6548 #6723 #9036 ... | ||
| if "SSL: CERTIFICATE_VERIFY_FAILED" or "urlopen error unknown url type: https" in str(e): |
There was a problem hiding this comment.
This is wrong, I think: it will be interpreted as if "a" or ("b" in c). I think we need if "a" in c or "b" in c.
There was a problem hiding this comment.
Oh my, of course. Haven't resolved the Linux version, so might also change the link once I have it worked out on Linux.
|
@kripken I think I have gotten to the bottom of what’s happening. It has taken some time and thinking through the problem. Here’s my view, sorry a bit long, but necessary to understand the conclusion BackgroundThe recommended installation on OS X/Linux/Unix is to use https://webassembly.org/getting-started/developers-guide/ Issue - OS X/Linux/UnixDuring installation there is an install issue
It’s the storage locations rejecting the Python TLS certificate and Python error notifying that the storage locations of WebAssembly downloads do not accept 1024-bit TLS certificates. Current recommended solutions - Upgrade Certs however, nil impactCurrent solutions recommended upgrading the Python certificates to 2048-bit or greater
However, running There are prolly edge cases where this works. The shell script on OS X/ Linux/Unix
|
|
@kripken Updated and ready for review. |
|
(I think there's still one review comment left to be addressed, see above.) Thanks for the detailed writeup! This is definitely not easy to fix. Not sure what's best here, but reading this comment I wonder if maybe we should have an |
…tes to reduce the number of issues raised during SDK installation. The OSX message is [SSL: CERTIFICATE_VERIFY_FAILED] while trying to download files. While, the Linux Python message is less descriptive. Error downloading URL 'https://xxxx.xxx.xxx': <urlopen error unknown url type: https>. This hopefully reduces the stream of common issues raised during installation as a result of the change of Python TLS certs to 2048 or greater. This change relates to emscripten-core#133 emscripten-core#136 emscripten-core#140 emscripten-core#176 #6275 #6548 #6723 #9036 … and possibly more. Installation can be accomplished by installing the latest Python certificates (pip install certifi), symbolic linking a new python version, and relying on the python shebang line to run $ ./emsdk.py install latest.
|
@kripken I've updated the code and removed the comments. #354 (comment) Ready for review. |
Not entirely sure if an ignore-cert is the way to go? This is not exclusively a WebAssembly problem. I guess we'd need to answer the question, why have TLS? The core issue is that the 1024-bit certificates are no longer trusted. The installation of 2048-bit upgrade Python has implemented, doesn't impact all locally installed versions, so the symbolic Python linked versions seem to pick the old TLS certificate. Personally, I'd prefer to maintain confidence in the WebAssembly download and not bypass the certificate. This is probably important for the entire community. A good writeup would help resolve the confusion. |
|
Thanks @Hillsie, yeah, I think those are good points. This should improve things for users a lot. If there's a good place to write more docs we can do that separately later. |
|
Hi, all of a sudden I had the same problem, I was doing some work in a Linux environment and I was hit by the lethal SSL certificate madness. I've followed every possible step of installing certifi from pip, pip3, making sure all the pythons have the correct 2048 root cert but nothing... Still broked. Until... I've changed the script to include this magic line: from: Now I can run
again! Now is that magic |
|
Can you tell me how you reproduced this on linux? Which version linux and which version of python were you able to reproduce this on? |
Sure, I have been working on I'm not familiar with python but I've been doing all sorts of work in every possible computer language so I ended up with, strangely, and I don't know why, a python3.7 python3.6, python3.6m, python2.7, python2, python all installed at the same time. I've ran the It was after a lot of poking around with all sort of other devs that I came up with the deaded SSL MADNESS, so unfortunately I don't have a dockerized example to reproduce it. The thing I've noticed from that log in the link it's that it says "unknown python3.6 version". Just to recap I had the error following step by step the instruction guidelines provided here: |
…602.3 (emscripten-core#354) Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
4 participants
Modified the code and added user notification about Python certificates issue to reduce the number of future git issues being raised about the Python ... urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate ... exception. This issue has resulted in continuous stream of issues with common problems in: #133 #136 #140 #176 #6275 #6548 #6723 #9036 ...
A notification during installation would help the user resolve the issue without raising a new issue request.