Poetry: Recommended install method fails with SSL: CERTIFICATE_VERIFY_FAILED

Created on 28 Nov 2018  路  14Comments  路  Source: python-poetry/poetry

  • [ ] I am on the latest Poetry version.
  • [x] I have searched the issues of this repo and believe that this is not a duplicate.
  • [ ] If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).
  • OS version and name: Linux Mint 19 Tara
  • Poetry version: not possible to install
  • Link of a Gist with the contents of your pyproject.toml file: no pyproject.toml

Issue

curl -sSL https://raw.githubusercontent.com/sdispater/poetry/master/get-poetry.py | python
Retrieving Poetry metadata
Traceback (most recent call last):
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 859, in <module>
  File "<stdin>", line 855, in main
  File "<stdin>", line 318, in run
  File "<stdin>", line 351, in get_version
  File "<stdin>", line 819, in _get
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 544, in _open
    '_open', req)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1361, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)>
picture gonvaled

Most helpful comment

I'm having the same issue when trying to run the poetry installer. I'm not sure what else it would or even could be.

I've exported REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt, pip install works, pipenv works, other python applications that rely on ca certs work except for this installer. Any chance this can be reopened and looked further?

picture hoshsadiq on 26 Dec 2019
👍5

All 14 comments

This is not an Poetry's end. You most likely have an issue with your certificates.

Basically, the installer only make requests to https://pypi.org and https://github.com so the likelihood of their certificates being invalid is minimal.

Now since it crashes at Retrieving Poetry metadata, the error happens when contacting https://pypi.org.

At this point I am not sure what the solution is. Check your certificates and see if it fixes this.

sdispater picture sdispater on 28 Nov 2018

Sounds a lot like https://github.com/sdispater/poetry/issues/449.
@gonvaled - what OS are you on?

cjw296 picture cjw296 on 28 Nov 2018

@cjw296

Sounds a lot like #449.
@gonvaled - what OS are you on?

As mentioned in the report, Linux Mint 19 Tara (based on Ubuntu Bionic 18.04)

gonvaled picture gonvaled on 29 Nov 2018

@sdispater

This is not an Poetry's end. You most likely have an issue with your certificates.

Basically, the installer only make requests to https://pypi.org and https://github.com so the likelihood of their certificates being invalid is minimal.

Now since it crashes at Retrieving Poetry metadata, the error happens when contacting https://pypi.org.

At this point I am not sure what the solution is. Check your certificates and see if it fixes this.

You could be right, but what makes me suspicious of the installer is the following:

  • I have no problems whatsoever with certificates when using other tools
  • I am able to install poetry with pipx install poetry
  • I am able to install poetry with pip install --user poetry
gonvaled picture gonvaled on 29 Nov 2018

@sdispater Just out of curiosity:

  1. Why do you recommend installing poetry with its custom installer?
  2. Why is a pip install --user poetry not enough, as it is for other tools?

One of the reasons seems to be to allow poetry to update itself via poetry self:update, but I do not see why a pip install --upgrade poetry would not be good enough.

Maybe a line about this in the readme would clarify things.

gonvaled picture gonvaled on 29 Nov 2018

@gonvaled There are a few reasons:

  • The installer installs Poetry in such a way that it is completely isolated from the rest of the system (vendored dependencies). That way its dependencies are fixed and there is no risk of dependencies being removed or updated by the installation of another tool.
  • If you install it via pip, Poetry will only be aware of the Python executable it has been installed for and as such will not be able to pick up the proper python version set by a tool liek pyenv.
sdispater picture sdispater on 30 Nov 2018

@gonvaled And the installer does not do anything in particular and only uses the standard library. Note that pip bundles certifi (https://github.com/pypa/pip/tree/master/src/pip/_vendor/certifi) which explains the absence of certificate errors.

So, there was an issue when compiling your Python version with pyenv which most likely linked against the wrong libssl version. However, I could not reproduce on a fresh install of Ubuntu 18.04.

sdispater picture sdispater on 1 Dec 2018

@sdispater - I'm afraid this is why I dislike pyenv's choice to try and compile python from source everywhere, that can be hard to get right, and someone else has normally already done it so you don't have to...

cjw296 picture cjw296 on 1 Dec 2018

@cjw296 it's not really a choice, official CPython does not distribute binaries for anything but macOS (and windows also I guess but pyenv doesn't _really_ support windows). Package managers on the platforms also don't let you ask for a very specific version like "3.7.0", you just get whatever latest version they have.

PyPy and Anaconda do ship binaries, and pyenv does use those.

joshfriend picture joshfriend on 3 Dec 2018

Why do you need very specific versions? Most OS vendors are good at backporting patches and bad at updating the version number ;-)

How do I teach pyenv about what conda python versions I have installed?

cjw296 picture cjw296 on 3 Dec 2018

Closing old issue that likely isn't related to poetry.

brycedrennan picture brycedrennan on 21 Aug 2019

I'm having the same issue when trying to run the poetry installer. I'm not sure what else it would or even could be.

I've exported REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt, pip install works, pipenv works, other python applications that rely on ca certs work except for this installer. Any chance this can be reopened and looked further?

hoshsadiq picture hoshsadiq on 26 Dec 2019
👍5

I was able to bypass the certification by generating a new SSL context and passing it in every urlopen call of the script. IMHO it means that some URLs in the script have invalid certificates and should be fixed.

giokara picture giokara on 13 Mar 2020

On macOS I had to create a symlink from OS certificates to python:

ln -s /etc/ssl/* /Library/Frameworks/Python.framework/Versions/3.9/etc/openssl
unmade picture unmade on 13 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  3Comments
jeremy886 picture jeremy886  路  3Comments
jhrmnn picture jhrmnn  路  3Comments
mozartilize picture mozartilize  路  3Comments
AWegnerGitHub picture AWegnerGitHub  路  3Comments