Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python 3.5 setup fails with an invalid certificate when running pip #866

Closed
4 of 5 tasks
andy-maier opened this issue May 14, 2024 · 9 comments
Closed
4 of 5 tasks
Assignees
Labels
bug Something isn't working

Comments

@andy-maier
Copy link

Description:

Python 3.5 setup fails with an invalid certificate when running pip.

This started happening a few days ago. 7 days ago it still worked.

From a today's run where it failed: https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/9076784995/job/24940262974

Run actions/setup-python@v5
  with:
    python-version: 3.5
    check-latest: false
    token: ***
    update-environment: true
    allow-prereleases: false
  env:
    PIP_DISABLE_PIP_VERSION_CHECK: 1
    PIP_NO_PYTHON_VERSION_WARNING: 1
Installed versions
  Version 3.5 was not found in the local cache
  Version 3.5 is available for downloading
  Download from "https://github.com/actions/python-versions/releases/download/3.5.10-90026/python-3.5.10-linux-20.04-x64.tar.gz"
  Extract downloaded archive
  /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/bbd73505-bdd7-43f6-9be8-ea09e3ed6949 -f /home/runner/work/_temp/20ce11ed-ebf4-4b07-b07d-6c43d465aa62
  Execute installation script
  Check if Python hostedtoolcache folder exist...
  Create Python 3.5.10 folder
  Copy Python binaries to hostedtoolcache folder
  Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
  Upgrading PIP...
  Requirement already satisfied: setuptools in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Collecting pip
  Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:728) - skipping
  Error: Could not find a version that satisfies the requirement pip (from versions: )
  Error: No matching distribution found for pip
  Error: The process '/usr/bin/bash' failed with exit code 1

Action version:

v5

Platform:

  • Ubuntu
  • macOS
  • Windows

Runner type:

  • Hosted
  • Self-hosted

Tools version:

Python 3.5

Repro steps:

To reproduce, use the setup-python action with Python 3.5.

Expected behavior:

Python 3.5 should be installed as it was 1 week ago.

Actual behavior:

See description, above.

@joamag
Copy link

joamag commented May 14, 2024

I'm also able to reproduce this behavior in a self-hosted environment.

joamag added a commit to hivesolutions/colony-npapi that referenced this issue May 14, 2024
There's an open issue on setup-python about the SSL certificate error.
actions/setup-python#866
@joamag
Copy link

joamag commented May 14, 2024

@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST env variable) to bump pip and avoid this error

  - uses: actions/setup-python@v5
    with:
      python-version: 3.5
    env:
      PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"

Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi

@aparnajyothi-y
Copy link
Contributor

Hello @andy-maier, Thank you for creating this issue and we will look into it :)

dirkf added a commit to ytdl-org/setup-python that referenced this issue May 15, 2024
Delgan added a commit to Delgan/loguru that referenced this issue May 16, 2024
Delgan added a commit to Delgan/loguru that referenced this issue May 16, 2024
@dirkf
Copy link

dirkf commented May 16, 2024

The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:

--trusted-host <hostname>

    Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.

    (environment variable: PIP_TRUSTED_HOST)

Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.

@andy-maier
Copy link
Author

@joamag
Hello João. Thank you very much for this workaround!!
I can confirm that it works for us.

nuclearsandwich added a commit to ros-infrastructure/ros_buildfarm that referenced this issue May 17, 2024
Immediately motivated by these builds breaking on GitHub Actions:
actions/setup-python#866 but we also do not
need to support Ubuntu 16.04 any longer.

I think we should do one more release of ros_buildfarm, if possible,
before allowing e.g. f-strings and other newer language features. But if
ever there was a repo that wanted f-strings it's this one.
nuclearsandwich added a commit to ros-infrastructure/ros_buildfarm that referenced this issue May 17, 2024
Immediately motivated by these builds breaking on GitHub Actions:
actions/setup-python#866 but we also do not
need to support Ubuntu 16.04 any longer.

I think we should do one more release of ros_buildfarm, if possible,
before allowing e.g. f-strings and other newer language features. But if
ever there was a repo that wanted f-strings it's this one.
@dirkf
Copy link

dirkf commented Jun 8, 2024

Since the point of the action is to install various versions of Python, end-of-life or not, you need to apply this workaround for the affected versions within the action itself.

@ShadowJonathan
Copy link

ShadowJonathan commented Jun 9, 2024

I agree, but adding these environment variables effectively ignores any SSL error, including MITM certificate mismatches.

I feel like a INSECURE_EOL_VERSION_OK: 1 (or similar) would be a better environment variable, explicitly acknowledging that EOL versions with security incompatibilities will be vulnerable to attacks, and that developers are okay with that (or have other security mitigations)

@priya-kinthali
Copy link
Contributor

Thank you for your suggestions. Unfortunately, it's not feasible for us to incorporate the proposed changes directly into the setup-python action. For users operating with EOL Python versions, we kindly recommend implementing the proposed workaround within your respective workflows. For optimal security, please consider upgrading to a supported Python version.
@andy-maier👋, as the issue appears to have been resolved with the suggested workaround, we are proceeding with closing the issue and appreciate your understanding and cooperation:)
Please feel free to reach us out incase of any other concerns.

cjwatson added a commit to cjwatson/multipart that referenced this issue Jun 18, 2024
It's got more awkward to test in GHA (see
actions/setup-python#866), and we advertised
dropping support for < 3.6 in multipart 0.2 anyway.
Felixoid added a commit to Felixoid/pandocfilters that referenced this issue Jun 24, 2024
jgm pushed a commit to jgm/pandocfilters that referenced this issue Jun 24, 2024
pbodnar added a commit to miyuchina/mistletoe that referenced this issue Jul 14, 2024
According to actions/setup-python#866,
this should fix the CERTIFICATE_VERIFY_FAILED error
while trying to fetch the EOL-ed Python 3.5.

Alternative: Remove support for Python 3.5.
jacobtylerwalls added a commit to pylint-dev/astroid that referenced this issue Aug 4, 2024
jacobtylerwalls added a commit to pylint-dev/astroid that referenced this issue Aug 4, 2024
jacobtylerwalls added a commit to pylint-dev/astroid that referenced this issue Aug 4, 2024
GalaxySnail added a commit to GalaxySnail/wcwidth that referenced this issue Sep 5, 2024
GalaxySnail added a commit to GalaxySnail/wcwidth that referenced this issue Sep 5, 2024
GalaxySnail added a commit to GalaxySnail/wcwidth that referenced this issue Sep 5, 2024
GalaxySnail added a commit to GalaxySnail/wcwidth that referenced this issue Sep 5, 2024
GalaxySnail added a commit to GalaxySnail/wcwidth that referenced this issue Sep 5, 2024
jquast pushed a commit to jquast/wcwidth that referenced this issue Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

6 participants