Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable support for custom SSL certs when publishing. #1418

Closed
2 tasks done
aalekhpatel07 opened this issue Jan 18, 2023 · 3 comments · Fixed by #1483
Closed
2 tasks done

Enable support for custom SSL certs when publishing. #1418

aalekhpatel07 opened this issue Jan 18, 2023 · 3 comments · Fixed by #1483
Labels
enhancement New feature or request

Comments

@aalekhpatel07
Copy link

Bug Description

TL;DR.

It is possible that ureq is not properly configured to allow usage of custom SSL certificates when uploading packages.

Details

The command maturin publish fails to upload package to devpi (a privately hosted package index) because of an SSL error originating in the ureq crate.

💥 maturin failed
  Caused by: 💥 Failed to upload "<package-name-and-version>-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" (624.0 KB)
  Caused by: Http error
  Caused by: https://<devpi-url>/: Connection Failed: tls connection init failed: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

ureq has an issue addressing the custom SSL certificates feature. This comment outlines a potential solution and a usage pattern.

I'm not sure about the exact changes required to solve this but I'd be happy to contribute however I can.

Your maturin version (maturin --version)

0.12.6

Your Python version (python -V)

3.9.16

Your pip version (pip -V)

22.2.2

What bindings you're using

pyo3

Does cargo build work?

  • Yes, it works

If on windows, have you checked that you aren't accidentally using unix path (those with the forward slash /)?

  • Yes

Steps to Reproduce

There's probably a way to reproduce the ssl error by hosting a package index signed with a custom SSL cert generated with an openssl incantation but I'm not very well-versed with it.

I came across this issue because my dev environment is already set up this way.
@aalekhpatel07 aalekhpatel07 added the bug Something isn't working label Jan 18, 2023
@messense
Copy link
Member

Definitely interested in getting it work, for now does maturin build then upload with twine work for you?

@messense messense added enhancement New feature or request and removed bug Something isn't working labels Jan 19, 2023
@aalekhpatel07
Copy link
Author

Yep!
devpi upload <path_to_whl>.whl works as an alternative (and I'd imagine twine would have the same behaviour).

There is a known issue with requests that custom certs have to be provided through REQUESTS_CA_BUNDLE.

My docker container already has this set up so https interactions that use requests work as expected. On the other hand maturin's http provider (ureq) doesn't have a way to inject this info at runtime.

@messense
Copy link
Member

messense commented Feb 9, 2023
edited
Loading

N.B. we should wait for rustls/rustls-native-certs#22 to be resovled first.

@messense messense mentioned this issue Feb 14, 2023
Merged
@bors bors bot closed this as completed in 6a16f7f Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for custom TLS certificate authority bundle messense/maturin
2 participants
@messense @aalekhpatel07