Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

conan install https://... fails when proxy certificate is self-signed

See original GitHub issue

Hello,

I am using conan 1.21.1 with proxy (proxy uses self-signed certificate) and experienced an issue while I was trying to run conan create for https://github.com/bincrafters/conan-folly

(long story short: please add --verify-ssl=False as a parameter of the conan install and conan create)

# NOTE: --verify=False and GIT_SSL_NO_VERIFY=true 
CONAN_REVISIONS_ENABLED=1 \
    CONAN_VERBOSE_TRACEBACK=1 \
    CONAN_PRINT_RUN_COMMANDS=1 \
    CONAN_LOGGING_LEVEL=10 \
    GIT_SSL_NO_VERIFY=true \
    conan create . conan/stable -s build_type=Debug --verify=False --profile default --build missing

# NOTE: i can download that file in browser https://github.com/google/double-conversion/archive/v3.1.4.tar.gz or via wget --no-check-certificate

requests.exceptions.SSLError: HTTPSConnectionPool(host='github.com', port=443): 
Max retries exceeded with url: 
/google/double-conversion/archive/v3.1.4.tar.gz 
(Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed (_ssl.c:852)'),))

NOTE: added self-signed certificate to the ~/.conan/cacert.pem file.

conan install does not have currently an option to disable the verification of the certificate. The download is performed using tools.download(). This utility has a parameter to enable/disable ssl checks.

def download(url, filename, verify=True, out=None, retry=2, retry_wait=5, overwrite=False,
             auth=None, headers=None)

NOTE: don’t work either including the ROOT (not a non-root ancestor) certificate in the Python requests package CA bundle, or create a new CA bundle that includes the root certificate and use the REQUESTS_CA_BUNDLE environment variable. as in https://stackoverflow.com/a/56810796 and https://stackoverflow.com/a/46337779 and https://stackoverflow.com/a/42982144

As temporary fix i edited /usr/local/lib/python3.6/dist-packages/conans/client/rest/uploader_downloader.py and manually changed self.verify = False

I think a flag to disable ssl check would be a good solution in this use case. What do you think about it ? Is there currently another solution to perform the download from a server with a self-signed certificate ?

Issue Analytics

State:
Created 4 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

5reactions

jgallucci32commented, Apr 9, 2021

I have the same issue. I replaced the contents of ~/.conan/cacert.pem with the same contents of the custom cert bundled used for the REQUESTS_CA_BUNDLE env var required for pip to install conan with a custom certificate in the first place (confirming CA BUNDLE is valid). I also tried using not only a cert bundle with updated roots, but also the server cert with the chain in the exact order (for strict SSL checking) and that didn’t work either.

Disabling SSL was the only way to get it to work.

0reactions

blockspacercommented, Mar 10, 2021

@sourcedelica

cat /usr/local/share/ca-certificates/MY_CORP_CERT.crt >> ~/.conan/cacert.pem
sudo curl http://my_corp/pki/MY_CORP_CERT.crt | sudo openssl x509 -inform DER -outform PEM -out MY_CORP_CERT_pem.crt
cat /usr/local/share/ca-certificates/MY_CORP_CERT_pem.crt >> ~/.conan/cacert.pem

didn’t work (so i had to disable SSL). Maybe it is bug?

Note that MY_CORP_CERT.crt and MY_CORP_CERT_pem.crt are valid (without them other apps like Flatpak does not work)