PMXBOT Log file Viewer

Help | Karma | Search:

#pypa logs for Monday the 9th of April, 2018

(Back to #pypa overview) (Back to channel listing) (Animate logs)
[05:40:06] <apieceofwood> !logs
[05:40:06] <pmxbot> http://kafka.dcpython.org/channel/pypa
[12:59:52] <jleclanche> does pipenv have an equivalent to `yarn upgrade`?
[13:00:31] <jleclanche> I can't even get pipenv lock to pick up on an updated version of one of my libs :/
[13:01:38] <jleclanche> ah figured out why. question still stands tho
[22:36:44] <rambo123456> So I was happily installing python packages via pip a week ago and now I'm getting the following error: SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /pypi
[22:37:42] <rambo123456> adding --trusted-host pypi.python.org to the pip command makes it work but I'm interested to know what I changed to change the pip behavior
[22:40:15] <sumanah> hi rambo123456
[22:40:27] <sumanah> rambo123456: what OS are you on?
[22:40:34] <rambo123456> sumanah OSX
[22:40:37] <sumanah> rambo123456: I am wondering whether https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html affects you
[22:40:50] <sumanah> rambo123456: which version of OS X? 10.13, or previous?
[22:41:14] <rambo123456> sumanah I'm on 10.13.4
[22:41:38] <sumanah> rambo123456: could it be that you are working in a virtualenv that was created under a previous version? before you upgraded to 10.13?
[22:41:44] <rambo123456> sumanah hmmm. upgrading might be worth a shot
[22:42:11] <sumanah> rambo123456: Also! heads-up about the new PyPI :) https://pyfound.blogspot.com/2018/03/warehouse-all-new-pypi-is-now-in-beta.html
[22:42:35] <rambo123456> sumanah I know I did a OSX update recently. but not upgrade I don't think
[22:43:10] <sumanah> rambo123456: I suggest you upgrade pip to 9.0.3
[22:43:44] <rambo123456> sumanah ok let me try that. Thanks sumanah!
[22:43:50] <sumanah> and please spread the word, rambo123456
[22:44:51] <sumanah> rambo123456: here's a longer explanation of what's happening in terms of SSL stuff https://github.com/pypa/warehouse/issues/3293#issuecomment-378468534
[22:47:10] <rambo123456> sumanah interesting. I installed pip via homebrew. so I guess Its not going to affect me? I haven't read much of your links yet but will do. Thanks again
[22:50:36] <sumanah> rambo123456: what version of homebrew are you running?
[22:50:54] <rambo123456> 1.5.12
[22:51:43] <rambo123456> sumanah I just tried upgrading pip via >pip install --trusted-host pypi.python.org -U pip... still having the ssl issues after
[22:52:04] <sumanah> rambo123456: what version of pip does it now believe you are using?
[22:52:36] <rambo123456> bash-4.4$ pip --version
[22:52:36] <rambo123456> pip 9.0.3 from /usr/local/lib/python2.7/site-packages (python 2.7)
[22:53:39] <rambo123456> id did upgraded I guess it didn't update the ssl certificates
[22:53:48] <sumanah> rambo123456: I believe the issue you are running into has just outstripped my expertise.
[22:54:09] <rambo123456> sumanah no problem. thanks for your help
[22:54:15] <sumanah> rambo123456: others here may be able to help
[22:54:22] <sumanah> rambo123456: or....
[22:54:48] <sumanah> rambo123456: on https://mail.python.org/mailman/listinfo/pythonmac-sig
[22:56:45] <di_codes> rambo123456: any chance there’s a proxy or firewall or something in between you and PyPI?
[22:57:51] <rambo123456> di_codes I'm on a vpn. let me log off the vpn and try again
[22:58:21] <tdsmith> i wouldn't expect a cert validation failure from the TLS version change
[22:59:03] <tdsmith> and homebrew python ought to be safe from it anyway
[22:59:11] <rambo123456> na its not the vpn
[23:00:18] <di_codes> what does `openssl s_client -connect <http://pypi.org:443|pypi.org:443>` give you?
[23:00:52] <tdsmith> di_codes: fwiw that got mangled on the way to the channel :(
[23:01:06] <tdsmith> rambo123456: the thing you should run is `openssl s_client -connect pypi.org:443`
[23:01:39] <di_codes> tdsmith: thanks, my IRC client is… experimental :slightly_smiling_face:
[23:02:19] <di_codes> hah, and I just realized it screws up the emojis too. fun!
[23:02:32] <tdsmith> lol
[23:04:43] <rambo123456> thanks tdsmith di_codes I ran the command... it hasn't returned but it says okay. am I supposed to have the window up while doing pip commands?
[23:04:59] <tdsmith> no -- it shouldn't return, go ahead and hit ctrl+c
[23:05:03] <tdsmith> the first few lines of the output are interesting
[23:05:46] <tdsmith> specifically the certificate chain section; it "should" look like https://gist.github.com/tdsmith/87d0a5ee5da924d50cf816603e7e7f46
[23:06:00] <rambo123456> CONNECTED(00000005)
[23:06:00] <rambo123456> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
[23:06:01] <rambo123456> verify error:num=20:unable to get local issuer certificate
[23:06:01] <rambo123456> verify return:0
[23:07:41] <rambo123456> tdsmith the certificate chain that is shown looks like the github link you gave me
[23:08:16] <rambo123456> but I'm concerned about that "unable to get local issuer certificate message
[23:08:20] <tdsmith> that's fine
[23:08:37] <tdsmith> does `env | grep -i proxy` give you anything? (probably don't paste the output)
[23:08:48] <di_codes> i’m also curious what `python -c "import ssl; print(ssl.OPENSSL_VERSION)"` reports
[23:10:18] <rambo123456> tdsmith no proxy on that env command
[23:10:33] <tdsmith> is your clock way wrong?
[23:10:34] <rambo123456> di_codes OpenSSL 1.0.2n 7 Dec 2017
[23:10:42] <tdsmith> i'm running out of ideas :p
[23:12:26] <di_codes> rambo123456: how about `python -m pip install whatever_package_you_were_trying_to_install`?
[23:13:04] <di_codes> or really, any package
[23:13:53] <rambo123456> or add --trusted-host pypi.python.org
[23:13:58] <rambo123456> that works.
[23:14:09] <rambo123456> I just wanted to know what I did to break it. it was fine last week
[23:14:47] <di_codes> --trusted-host is not really a great optionn
[23:14:56] <rambo123456> I agree
[23:15:31] <rambo123456> I was messing with my .ssh/known_hosts and config earlier. but that shouldn't have anything to do with ssl certificates right?
[23:16:48] <di_codes> rambo123456: sorry for not mentioning this earlier: this is almost definitely not your fault. there have been some infrastructure changes for PyPI
[23:16:53] <rambo123456> the only other thing I can think off is I was playing with creating certificates for xcode
[23:17:18] <di_codes> rambo123456: can you try installing the `certifi` package?
[23:17:32] <di_codes> using `--trusted-host` or whatever works
[23:19:58] <tdsmith> oh hold on a minute.
[23:20:15] <rambo123456> looks like its not my particular python. I just tried it from a docker instance
[23:20:35] <rambo123456> but I logged into another machine and it works
[23:20:46] <rambo123456> but that one has version 8.1.1. pretty old
[23:21:11] <tdsmith> you're sure your clock is right?
[23:21:35] <rambo123456> like the system clock? yea. its the correct time
[23:22:43] <tdsmith> nevermind, also; there used to be a magic list of locations pip would look for certs but i think switching to certifi means that no longer happens
[23:23:01] <dstufft> the magic list is gone
[23:23:15] <dstufft> Homebrew's (entierly reasonable) shenangins were the straw that broke the camels back on that :P
[23:25:07] <rambo123456> alright let me try installing the certifi. do I have to do any setup after that?
[23:26:02] <rambo123456> it says certifi is already installed
[23:26:19] <di_codes> ok, i’m definitely out of ideas. dstufft?
[23:26:48] <di_codes> wait rambo123456, did you say that `python -m pip ...` worked for you?
[23:26:57] <rambo123456> no that didn't work
[23:27:05] <rambo123456> same ssl error message
[23:27:07] <dstufft> uhhh
[23:27:43] <dstufft> what version of pip is this
[23:28:13] <rambo123456> 9.0.3
[23:28:29] <dstufft> thinking a tick
[23:28:34] <rambo123456> upgraded a few minutes ago using the --trusted-host option
[23:31:01] <dstufft> python -m pip._vendor.requests.certs
[23:31:02] <dstufft> what's that output
[23:32:07] <rambo123456> "/usr/local/lib/python2.7/site-packages/pip/_vendor/certifi/cacert.pem"
[23:32:22] <dstufft> tdsmith: does homebrew stick an openssl bin on the $PATH
[23:32:24] <dstufft> I forget
[23:32:30] <tdsmith> no
[23:32:58] <rambo123456> my path has no openssl
[23:33:00] <dstufft> do you know where it's at?
[23:33:29] <rambo123456> it says: /usr/bin/openssl
[23:33:29] <tdsmith> should be $(brew --prefix openssl@1.0)/bin/openssl
[23:35:17] <dstufft> echo "" | $(brew --prefix openssl@1.0)/bin/openssl s_client -CAfile /usr/local/lib/python2.7/site-packages/pip/_vendor/certifi/cacert.pem -connect pypi.python.org:443
[23:35:22] <dstufft> can you execute that rambo123456
[23:35:27] <dstufft> and pastebin the full output
[23:38:28] <rambo123456> looking at what the heck pastebin is. sorry for being a noob
[23:38:43] <rambo123456> looks like I need an account?
[23:39:00] <dstufft> bpaste.net
[23:39:43] <rambo123456> ok. https://bpaste.net/show/e891085efdb1
[23:40:15] <tdsmith> curiouser and curiouser
[23:40:18] <dstufft> interesting
[23:40:25] <dstufft> so OpenSSL can verify the certificate directly
[23:40:40] <rambo123456> looks like that output didn't show the error like the original s_client command we did
[23:41:00] <dstufft> yea, because of the -CAfile
[23:41:33] <rambo123456> I wonder if pip is using the openssl from /usr/bin?
[23:42:09] <rambo123456> and not the brew version
[23:42:16] <rambo123456> man how did this happened lol
[23:42:18] <dstufft> nah, shouldn't be
[23:43:01] <dstufft> huh
[23:43:08] <dstufft> SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)'),)': /pypi
[23:43:13] <dstufft> Why's it accessing /pypi
[23:43:23] <rambo123456> wait you got the error too? lol
[23:43:30] <dstufft> No I copy/pasted your error
[23:43:34] <rambo123456> ok ok
[23:44:01] <dstufft> rambo123456: can you add -vvvv to the command you're typing, and pastebin the entire output, including the command you ran
[23:44:18] <rambo123456> the pip command? pip search paramiko
[23:44:23] <rambo123456> I will pastebin it
[23:45:41] <rambo123456> https://bpaste.net/show/584aef0ae521
[23:47:03] <rambo123456> dstufft https://bpaste.net/show/584aef0ae521
[23:50:23] <dstufft> rambo123456: does ``echo $REQUESTS_CA_BUNDLE`` or ``echo $PIP_CERT`` return anything?
[23:51:01] <dstufft> also ``echo $CURL_CA_BUNDLE``
[23:51:40] <rambo123456> dstufft oh man! I think you hit it. REQUESTS_CA_BUNDLE does return something
[23:51:58] <dstufft> what does it return?
[23:52:12] <rambo123456> I remember setting that this week to access a development openstack authentication
[23:52:43] <rambo123456> its pointing to /Users/<myuserid>/.ssh/openstack.pem
[23:53:09] <rambo123456> I'm going to try unsetting it to see if it does the trick
[23:53:40] <dstufft> Yea, I suspect it will
[23:54:41] <rambo123456> dstufft OMG! that did it!
[23:55:24] <dstufft> rambo123456: awesome
[23:56:09] <rambo123456> dstufft so thats a global variable for all python SSL certifications?
[23:56:31] <dstufft> rambo123456: for anything that uses the requests library
[23:56:34] <dstufft> which pip does
[23:56:45] <rambo123456> the cerfifi library right?
[23:56:59] <rambo123456> dstufft certifi sorry
[23:57:12] <dstufft> rambo123456: https://pypi.org/p/requests
[23:57:15] <dstufft> that library
[23:57:33] <dstufft> (requests uses certifi, but it also supports an envvar to point it somewhere else instead of certifi)
[23:58:54] <rambo123456> dstufft alright. I need to do some research into this. Thanks again guys for all your help.