--no-verify-ssl is broken in CentOS/RHEL 8

[alexzorin]

While trying to test with Pebble in EPEL8, I found that --no-verify-ssl was not actually doing anything. Digging in, it appears that the version of python3-urllib3 published in EPEL8 is affected by urllib3/urllib3#1682, which makes it impossible to disable verification in some environments.

This is not actually an issue in Certbot and as such can probably be closed immediately, but I'm just wondering @FelixSchwarz whether you have any advice about getting https://bugzilla.redhat.com/show_bug.cgi?id=1824900 moving? Should a separate bug be filed? Sorry, newbie to EL land.

[FelixSchwarz]

@alexzorin Thanks for notifying me about this.

Unfortunately python3-urllib3 is not released by EPEL but part of RHEL (base) so any change needs to go through Red Hat's change management process. If we can get that change in it'll take quite a while. I'll check later if there is an open bugzilla already or if I can ping someone I know. However I don't think this can be fixed quickly (short of bundling the module ourself).

The bugzilla issue you linked is for Fedora which should be much easier. I'll ping the maintainers later today.

[alexzorin]

Whoops! I was initially looking at requests as the culprit and did not notice that urlllib3 is in base. My bad, nice catch. Thanks!

[FelixSchwarz]

@alexzorin I read a bit in the urllib3 issue you linked but I'm not sure what versions are actually affected.

• @tiran mentioned that the problem occurs with Python 3.6 + OpenSSL 1.1.1 (= RHEL 8).
• original reporter @sbstp reported this as a regression from 1.25.3 -> 1.25.4. However RHEL ships 1.24.2 so either this is not a regression as initially reported or we have some other bug.
• @sethmlarson wrote the problem has been fixed in python-urllib3 v1.25.5.
• There are two users which mention that they still see the same/a similar problem.

So I guess Fedora should be fine and Fedora's python-urllib3 maintainers can do the update whenever they have time and I just need to check if we can notify RHEL about this issue.

[alexzorin]

I failed to mention that where I ran into this was in CentOS 8, which ships with:

• openssl-libs-1.1.1-8.el8.x86_64
• python3-urllib3-1.24.2-4.el8.noarch
• python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64

The linked issue does not mention that the issue goes back as far as 1.24.2, but I believe it is the same one. Forcefully upgrading the system urlllib3 (via pip) to urllib3-1.25.10 makes the issue go away.

I gather that the change for CentOS would need to be picked up from RHEL?

[FelixSchwarz]

CentOS will ship whatever RHEL (base) ships (with a short delay). So the first thing to do is to file a bugzilla issue against RHEL 8.

[tiran]

Could you please open a bug at https://bugzilla.redhat.com/ and reference this issue?

[alexzorin]

Turns out this was fixed by a change between Python 3.6.8-1.el8 and 3.6.8-23.el8. My testing rig was working off an old image - sorry and thanks to you both Felix and Christian.