NetBSD Problem Report #55212

From www@netbsd.org  Mon Apr 27 07:45:15 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 5D07E1A9217
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 27 Apr 2020 07:45:15 +0000 (UTC)
Message-Id: <20200427074514.4FF7B1A921A@mollari.NetBSD.org>
Date: Mon, 27 Apr 2020 07:45:14 +0000 (UTC)
From: dbaron@definitely.at
Reply-To: dbaron@definitely.at
To: gnats-bugs@NetBSD.org
Subject: python cannot verify SSL certificates
X-Send-Pr-Version: www-1.0

>Number:         55212
>Category:       pkg
>Synopsis:       python cannot verify SSL certificates
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 27 07:50:00 +0000 2020
>Closed-Date:    
>Last-Modified:  Mon Apr 27 10:51:29 +0000 2020
>Originator:     Dieter Baron
>Release:        NetBSD 8.0
>Organization:
>Environment:
NetBSD definitely.at 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711211410Z) amd64

>Description:
Python 3.7 installed via pkgsrc fails to verify certificates that are valid (as seen by all major browsers):

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>

>How-To-Repeat:
Run the following python 3 script:

import urllib.request

with urllib.request.urlopen("https://google.com/") as request:
        data = request.read()

>Fix:
I suspect Python and NetBSD/pkgsrc disagree over where the root certificates are stored.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: pkg-manager->leot
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Mon, 27 Apr 2020 08:35:11 +0000
Responsible-Changed-Why:
I will try to handle it


State-Changed-From-To: open->feedback
State-Changed-By: leot@NetBSD.org
State-Changed-When: Mon, 27 Apr 2020 08:35:11 +0000
State-Changed-Why:
Probably mozilla-rootcerts-openssl, or more generally,
/etc/openssl/certs directory not populated.

Feedback requested.


From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/55212 (python cannot verify SSL certificates)
Date: Mon, 27 Apr 2020 10:38:53 +0200

 leot@NetBSD.org writes:
 > [...]
 > Probably mozilla-rootcerts-openssl, or more generally,
 > /etc/openssl/certs directory not populated.
 > [...]

 I'm probably wrong regarding the directory though because on NetBSD 8.0
 probably pkgsrc openssl is used and hence the directory used for certs
 is probably under ${PREFIX}.  Also in that case mozilla-rootcerts-openssl
 should properly handle that.

From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/55212: python cannot verify SSL certificates
Date: Mon, 27 Apr 2020 10:32:29 +0200

 Hello Dieter,

 dbaron@definitely.at writes:
 > [...]
 > >Description:
 > Python 3.7 installed via pkgsrc fails to verify certificates that are valid (as seen by all major browsers):
 >
 > urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)>
 >
 > >How-To-Repeat:
 > Run the following python 3 script:
 >
 > import urllib.request
 >
 > with urllib.request.urlopen("https://google.com/") as request:
 >         data = request.read()
 >
 > >Fix:
 > I suspect Python and NetBSD/pkgsrc disagree over where the root certificates are stored.
 > [...]

 The real problem is probably that no certificates are installed.

 Please install security/mozilla-rootcerts-openssl (or populate
 /etc/openssl/certs), that should address that problem.

From: Dieter Baron <dbaron@definitely.at>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: pkg/55212: python cannot verify SSL certificates
Date: Mon, 27 Apr 2020 12:22:49 +0200

 Hi,


 > On 27.04.2020, at 10:50, Leonardo Taccari <leot@NetBSD.org> wrote:
 >=20
 > The following reply was made to PR pkg/55212; it has been noted by =
 GNATS.
 >=20
 > From: Leonardo Taccari <leot@NetBSD.org>
 > To: gnats-bugs@NetBSD.org
 > Cc:=20
 > Subject: Re: pkg/55212: python cannot verify SSL certificates
 > Date: Mon, 27 Apr 2020 10:32:29 +0200
 >=20
 > Hello Dieter,
 >=20
 > dbaron@definitely.at writes:
 >> [...]
 >>> Description:
 >> Python 3.7 installed via pkgsrc fails to verify certificates that are =
 valid (as seen by all major browsers):
 >>=20
 >> urllib.error.URLError: <urlopen error [SSL: =
 CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get =
 local issuer certificate (_ssl.c:1076)>
 >>=20
 >>> How-To-Repeat:
 >> Run the following python 3 script:
 >>=20
 >> import urllib.request
 >>=20
 >> with urllib.request.urlopen("https://google.com/") as request:
 >>        data =3D request.read()
 >>=20
 >>> Fix:
 >> I suspect Python and NetBSD/pkgsrc disagree over where the root =
 certificates are stored.
 >> [...]
 >=20
 > The real problem is probably that no certificates are installed.
 >=20
 > Please install security/mozilla-rootcerts-openssl (or populate
 > /etc/openssl/certs), that should address that problem.

 /etc/openssl/certs contained a bunch of certificates already. I =
 installed mozilla-rootcerts-openssl, but it did not fix the problem.

 Yours,
 dillo

 >=20

Responsible-Changed-From-To: leot->pkg-manager
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Mon, 27 Apr 2020 10:51:29 +0000
Responsible-Changed-Why:
Unassign to me (ATM I don't have idea what can cause that)


State-Changed-From-To: feedback->open
State-Changed-By: leot@NetBSD.org
State-Changed-When: Mon, 27 Apr 2020 10:51:29 +0000
State-Changed-Why:
Feedback provided


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.