Setuptools installation problems: wget refuses to download files over https due to certificate errors

[ghost]

Originally reported by: konstantint (Bitbucket: konstantint, GitHub: konstantint)

---

I encountered this issue in two versions:

1. Trying to install setuptools by following the line suggested in documentation::

$ wget https://bootstrap.pypa.io/ez_setup.py -O - | python
--2014-11-01 15:55:19--  https://bootstrap.pypa.io/ez_setup.py
Resolving bootstrap.pypa.io... 185.31.17.175
Connecting to bootstrap.pypa.io|185.31.17.175|:443... connected.
ERROR: certificate common name `*.c.ssl.fastly.net' doesn't match requested host name `bootstrap.pypa.io'.

2. A more annoying situation is when setuptools is being installed automatically via pyenv::

user@server1 $ wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.zip
--2014-11-01 11:42:19-- https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.zip
Resolving pypi.python.org... 23.235.43.223
Connecting to pypi.python.org|23.235.43.223|:443... connected.
ERROR: certificate common name www.python.org' doesn't match requested host namepypi.python.org'.
To connect to pypi.python.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

Note that in the first case the wget is invoked by the user and the problem is with the certificate of bootstrap.pypa.io, and in the second wget is invoked from within ez_setup.py and the problem is with the certificate of pypi.python.org.

Moreover, this problem seems to occur on CentOS hosts, whereas on some other Linux flavors wget is not as fussy. In any case, perhaps something could be done, by either fixing the server certificates, updating documentation, adding --no-check-certificate to the wget invocation in the docs or ez_setup, or via another option.

---

• Bitbucket: https://bitbucket.org/pypa/setuptools/issue/282

[ghost]

Original comment by konstantint (Bitbucket: konstantint, GitHub: konstantint):

---

In the first case, adding --no-check-certificate to the wget call does not help, because the second problem (the call in ez_setup) still remains::

$ wget --no-check-certificate https://bootstrap.pypa.io/ez_setup.py -O - | python
--2014-11-01 16:14:19--  https://bootstrap.pypa.io/ez_setup.py
Resolving bootstrap.pypa.io... 185.31.17.175
Connecting to bootstrap.pypa.io|185.31.17.175|:443... connected.
WARNING: certificate common name `*.c.ssl.fastly.net' doesn't match requested host name `bootstrap.pypa.io'.
HTTP request sent, awaiting response... 200 OK
Length: 10476 (10K) [text/x-python]
Saving to: `STDOUT'

2014-11-01 16:14:19 (24.1 MB/s) - `-' saved [10476/10476]

Downloading https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.zip
Traceback (most recent call last):
  File "<stdin>", line 332, in <module>
  File "<stdin>", line 327, in main
  File "<stdin>", line 287, in download_setuptools
  File "<stdin>", line 224, in download_file_wget
  File "<stdin>", line 169, in _clean_check
  File "/home/user/.pyenv/versions/server1-2.7.8/lib/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['wget', 'https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.zip', '--quiet', '--output-document', '/home/tretjakov/.pyenv/versions/Python-2.7.8/setuptools-7.0.zip']' returned non-zero exit status 1

[ghost]

Original comment by konstantint (Bitbucket: konstantint, GitHub: konstantint):

---

Changing download_file_wget in ez_setup to this:

def download_file_wget(url, target):
    cmd = ['wget', url, '--quiet', '--no-check-certificate', '--output-document', target]
    _clean_check(cmd, target)

Seems to fix the issue. Unless someone comes up with something better, I'd recommend that solution so far (as well as fixing the docs in pypi and, eventually, the server certificates).

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

Duplicate of #75.

[ghost]

Original comment by konstantint (Bitbucket: konstantint, GitHub: konstantint):

---

This is not an exact duplicate, as several problems are involved which are not handled by #75.

• bootstrap.pypa.io has invalid certificate. Not sure who is to blame but as long as it is the case, documentation on "Installation" should be changed.
• The documentation says nothing about --insecure, whereas it should, because I keep stumbling on this problem over and over, and I'm sure I am not the only one like that.
  Should I re-post those as separate issues?

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

I don't think bootstrap.pypa.io has an invalid certificate. I'm able to load it just fine from Firefox without warnings as are most users following the instructions. My guess is you're using an old version of wget (same as described here).

As for updating the documentation, feel free to make a pull request to describe the option. Be sure to capture under which circumstances the --insecure option might be needed and what the implications are.

[ghost]

Original comment by konstantint (Bitbucket: konstantint, GitHub: konstantint):

---

OK, I see. Old version of wget it is indeed.

I'll try to add something to the docs then.

[ghost]

Original comment by konstantint (Bitbucket: konstantint, GitHub: konstantint):

---

See pull request #108

[ghost]

Original comment by jaraco (Bitbucket: jaraco, GitHub: jaraco):

---

Merged. Thanks!