SSLCertVerificationError with self-signed certificates

[mrtnbrst]

Checklist

• I added a descriptive title
• I searched open reports and couldn't find a duplicate

What happened?

The error shows when conda-lock is used in combination with self-signed certificates. The error originates from the requests library, as described in psf/requests#6074. As of this moment, request does not want to provide a way to globally disable ssl verification anymore. A possible solution would be handling it like Poetry by adding a configuration for disabling the verification (python-poetry/poetry#1556) and pass the verify=False keyword.

The "setting" verify=False would also need to be passed down to the ensureconda package it seems.

conda-lock -f .\environment.yml

Traceback (most recent call last):
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 711, in urlopen
self._prepare_proxy(conn)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 1007, in prepare_proxy
conn.connect()
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\ssl.py", line 449, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\ssl.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "c:\program files (x86)\python\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "c:\program files (x86)\python\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "c:\program files (x86)\python\lib\ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\adapters.py", line 486, in send
resp = conn.urlopen(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\connectionpool.py", line 798, in urlopen
retries = retries.increment(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\urllib3\util\retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.anaconda.org', port=443): Max retries exceeded with url: /package/anaconda/conda-standalone/files (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "c:\program files (x86)\python\lib\runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "c:\program files (x86)\python\lib\runpy.py", line 87, in run_code
exec(code, run_globals)
File "c:\users\borstm.local\bin\conda-lock.exe_main.py", line 7, in
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1157, in call
return self.main(*args, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1078, in main
rv = self.invoke(ctx)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\core.py", line 783, in invoke
return __callback(*args, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\click\decorators.py", line 33, in new_func
return f(get_current_context(), *args, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\conda_lock.py", line 1380, in lock
lock_func(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\conda_lock.py", line 1085, in run_lock
_conda_exe = determine_conda_executable(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 56, in determine_conda_executable
for candidate in _determine_conda_executable(conda_executable, mamba, micromamba):
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 50, in _determine_conda_executable
yield _ensureconda(mamba=mamba, micromamba=micromamba, conda=True, conda_exe=True)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\conda_lock\invoke_conda.py", line 30, in _ensureconda
_conda_exe = ensureconda(
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\api.py", line 116, in ensureconda
maybe_exe = install_conda_exe()
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\installer.py", line 57, in install_conda_exe
resp = request_url_with_retry(url)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\ensureconda\installer.py", line 25, in request_url_with_retry
resp = requests.get(url, allow_redirects=True)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "C:\Users\borstm.local\pipx\venvs\conda-lock\lib\site-packages\requests\adapters.py", line 517, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.anaconda.org', port=443): Max retries exceeded with url: /package/anaconda/conda-standalone/files (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

Conda Info

No response

Conda Config

ssl_verify: False
proxy_servers:
  http: http://xxxxxx:8080
  https: http://xxxxxx:8080
channels:
  - defaults
show_channel_urls: True

Conda list

No response

Additional Context

No response

[maresb]

I don't like the idea of being able to disable TLS verification within config since disabling TLS should be an active action.

Perhaps we could add a CLI flag like --insecure-skip-tls-verify? Would you be interested in opening a PR for this?

[mrtnbrst]

I'll try to do the required PR for the ensureconda package and then come back here afterwards.

BR Martin

[mrtnbrst]

I didn't manage to get it to work with certificates.
It works from the home office which is good enough for now.