NetBSD Problem Report #55212
From www@netbsd.org Mon Apr 27 07:45:15 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5D07E1A9217
for <gnats-bugs@gnats.NetBSD.org>; Mon, 27 Apr 2020 07:45:15 +0000 (UTC)
Message-Id: <20200427074514.4FF7B1A921A@mollari.NetBSD.org>
Date: Mon, 27 Apr 2020 07:45:14 +0000 (UTC)
From: dbaron@definitely.at
Reply-To: dbaron@definitely.at
To: gnats-bugs@NetBSD.org
Subject: python cannot verify SSL certificates
X-Send-Pr-Version: www-1.0
>Number: 55212
>Category: pkg
>Synopsis: python cannot verify SSL certificates
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 27 07:50:00 +0000 2020
>Closed-Date:
>Last-Modified: Mon Apr 27 10:51:29 +0000 2020
>Originator: Dieter Baron
>Release: NetBSD 8.0
>Organization:
>Environment:
NetBSD definitely.at 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711211410Z) amd64
>Description:
Python 3.7 installed via pkgsrc fails to verify certificates that are valid (as seen by all major browsers):
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>
>How-To-Repeat:
Run the following python 3 script:
import urllib.request
with urllib.request.urlopen("https://google.com/") as request:
data = request.read()
>Fix:
I suspect Python and NetBSD/pkgsrc disagree over where the root certificates are stored.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->leot
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Mon, 27 Apr 2020 08:35:11 +0000
Responsible-Changed-Why:
I will try to handle it
State-Changed-From-To: open->feedback
State-Changed-By: leot@NetBSD.org
State-Changed-When: Mon, 27 Apr 2020 08:35:11 +0000
State-Changed-Why:
Probably mozilla-rootcerts-openssl, or more generally,
/etc/openssl/certs directory not populated.
Feedback requested.
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/55212 (python cannot verify SSL certificates)
Date: Mon, 27 Apr 2020 10:38:53 +0200
leot@NetBSD.org writes:
> [...]
> Probably mozilla-rootcerts-openssl, or more generally,
> /etc/openssl/certs directory not populated.
> [...]
I'm probably wrong regarding the directory though because on NetBSD 8.0
probably pkgsrc openssl is used and hence the directory used for certs
is probably under ${PREFIX}. Also in that case mozilla-rootcerts-openssl
should properly handle that.
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/55212: python cannot verify SSL certificates
Date: Mon, 27 Apr 2020 10:32:29 +0200
Hello Dieter,
dbaron@definitely.at writes:
> [...]
> >Description:
> Python 3.7 installed via pkgsrc fails to verify certificates that are valid (as seen by all major browsers):
>
> urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>
>
> >How-To-Repeat:
> Run the following python 3 script:
>
> import urllib.request
>
> with urllib.request.urlopen("https://google.com/") as request:
> data = request.read()
>
> >Fix:
> I suspect Python and NetBSD/pkgsrc disagree over where the root certificates are stored.
> [...]
The real problem is probably that no certificates are installed.
Please install security/mozilla-rootcerts-openssl (or populate
/etc/openssl/certs), that should address that problem.
From: Dieter Baron <dbaron@definitely.at>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/55212: python cannot verify SSL certificates
Date: Mon, 27 Apr 2020 12:22:49 +0200
Hi,
> On 27.04.2020, at 10:50, Leonardo Taccari <leot@NetBSD.org> wrote:
>=20
> The following reply was made to PR pkg/55212; it has been noted by =
GNATS.
>=20
> From: Leonardo Taccari <leot@NetBSD.org>
> To: gnats-bugs@NetBSD.org
> Cc:=20
> Subject: Re: pkg/55212: python cannot verify SSL certificates
> Date: Mon, 27 Apr 2020 10:32:29 +0200
>=20
> Hello Dieter,
>=20
> dbaron@definitely.at writes:
>> [...]
>>> Description:
>> Python 3.7 installed via pkgsrc fails to verify certificates that are =
valid (as seen by all major browsers):
>>=20
>> urllib.error.URLError: <urlopen error [SSL: =
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get =
local issuer certificate (_ssl.c:1076)>
>>=20
>>> How-To-Repeat:
>> Run the following python 3 script:
>>=20
>> import urllib.request
>>=20
>> with urllib.request.urlopen("https://google.com/") as request:
>> data =3D request.read()
>>=20
>>> Fix:
>> I suspect Python and NetBSD/pkgsrc disagree over where the root =
certificates are stored.
>> [...]
>=20
> The real problem is probably that no certificates are installed.
>=20
> Please install security/mozilla-rootcerts-openssl (or populate
> /etc/openssl/certs), that should address that problem.
/etc/openssl/certs contained a bunch of certificates already. I =
installed mozilla-rootcerts-openssl, but it did not fix the problem.
Yours,
dillo
>=20
Responsible-Changed-From-To: leot->pkg-manager
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Mon, 27 Apr 2020 10:51:29 +0000
Responsible-Changed-Why:
Unassign to me (ATM I don't have idea what can cause that)
State-Changed-From-To: feedback->open
State-Changed-By: leot@NetBSD.org
State-Changed-When: Mon, 27 Apr 2020 10:51:29 +0000
State-Changed-Why:
Feedback provided
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home