poetry doesn't seem to respect poetry config certificates.pypi.cert false. Getting CERTIFICATE_VERIFY_FAILED

[brno32]

• Poetry version: 1.2.1

• Python version: 3.9

• OS version and name: Windows 10

• pyproject.toml: https://gist.github.com/brno32/ea2d3629c351bdd9029380d920e7fb32

• I am on the latest stable Poetry version, installed using a recommended method.

• I have searched the issues of this repo and believe that this is not a duplicate.

• I have consulted the FAQ and blog for any relevant entries or release notes.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

I'm behind a corporate firewall which I cannot change. I won't pretend to know what's really going on here, but we're swapping out some of the SSL certificates with our own, self-signed certificate. This poses problems when trying to pip install packages on pypi. but for plain ol' pip installs, my team just runs this

pip install --upgrade --trusted-host pypi.python.org --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools wheel python-certifi-win32

and we're good to go, but poetry doesn't seem to respect these settings. I think it doesn't take advantage of whatever python-certifi-win32 does or pay attention to trusted hosts.

When I try to add a package via poetry, this happens:

poetry add pysmb -vvv

Loading configuration file C:\Users\me\AppData\Roaming\pypoetry\config.toml

Loading configuration file C:\Users\me\AppData\Roaming\pypoetry\auth.toml

Using virtualenv: D:\p4_root\WWHPRP-vnZExBYp_crypy_secrets_2822\venv

[keyring.backend] Loading KWallet

[keyring.backend] Loading SecretService

[keyring.backend] Loading Windows

[keyring.backend] Loading chainer

[keyring.backend] Loading libsecret

[keyring.backend] Loading macOS

Creating new session for [pypi.org](http://pypi.org/)

[urllib3.connectionpool] Starting new HTTPS connection (1): [pypi.org:443](http://pypi.org:443/)

Retrying HTTP request in 0.5 seconds.

[urllib3.connectionpool] Starting new HTTPS connection (2): [pypi.org:443](http://pypi.org:443/)

Retrying HTTP request in 1.0 seconds.

[urllib3.connectionpool] Starting new HTTPS connection (3): [pypi.org:443](http://pypi.org:443/)

Retrying HTTP request in 1.5 seconds.

[urllib3.connectionpool] Starting new HTTPS connection (4): [pypi.org:443](http://pypi.org:443/)

Retrying HTTP request in 2.0 seconds.

[urllib3.connectionpool] Starting new HTTPS connection (5): [pypi.org:443](http://pypi.org:443/)

Retrying HTTP request in 2.5 seconds.

[urllib3.connectionpool] Starting new HTTPS connection (6): [pypi.org:443](http://pypi.org:443/)

 

  Stack trace:

 

  8  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:703 in urlopen

       701│

       702│             # Make the request on the httplib connection object.

    →  703│             httplib_response = self._make_request(

       704│                 conn,

       705│                 method,

 

  7  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:386 in _make_request

       384│         # Trigger any extra validation we need to do.

       385│         try:

    →  386│             self._validate_conn(conn)

       387│         except (SocketTimeout, BaseSSLError) as e:

       388│             # Py2 raises this as a BaseSSLError, Py3 raises it as socket timeout.

 

  6  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1042 in _validate_conn

      1040│         # Force connect early to allow us to validate the connection.

      1041│         if not getattr(conn, "sock", None):  # AppEngine might not have  `.sock`

    → 1042│             conn.connect()

      1043│

      1044│         if not conn.is_verified:

 

  5  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connection.py:414 in connect

      412│             context.load_default_certs()

      413│

    → 414│         self.sock = ssl_wrap_socket(

      415│             sock=conn,

      416│             keyfile=self.key_file,

 

  4  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\util\ssl_.py:449 in ssl_wrap_socket

      447│

      448│     if send_sni:

    → 449│         ssl_sock = _ssl_wrap_socket_impl(

      450│             sock, context, tls_in_tls, server_hostname=server_hostname

      451│         )

 

  3  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\util\ssl_.py:493 in _ssl_wrap_socket_impl

      491│

      492│     if server_hostname:

    → 493│         return ssl_context.wrap_socket(sock, server_hostname=server_hostname)

      494│     else:

      495│         return ssl_context.wrap_socket(sock)

 

  2  ~\AppData\Local\Programs\Python\Python39\lib\ssl.py:501 in wrap_socket

       499│         # SSLSocket class handles server_hostname encoding before it calls

       500│         # ctx._wrap_socket()

    →  501│         return self.sslsocket_class._create(

       502│             sock=sock,

       503│             server_side=server_side,

 

  1  ~\AppData\Local\Programs\Python\Python39\lib\ssl.py:1041 in _create

      1039│                         # non-blocking

      1040│                         raise ValueError("do_handshake_on_connect should not be specified for non-blocking sockets")

    → 1041│                     self.do_handshake()

      1042│             except (OSError, ValueError):

      1043│                 self.close()

 

  SSLCertVerificationError

 

  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

 

  at ~\AppData\Local\Programs\Python\Python39\lib\ssl.py:1310 in do_handshake

      1306│         timeout = self.gettimeout()

      1307│         try:

      1308│             if timeout == 0.0 and block:

      1309│                 self.settimeout(None)

    → 1310│             self._sslobj.do_handshake()

      1311│         finally:

      1312│             self.settimeout(timeout)

      1313│

      1314│     def _real_connect(self, addr, connect_ex):

 

The following error occurred when trying to handle this error:

 

 

  Stack trace:

 

  2  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\requests\adapters.py:489 in send

      487│         try:

      488│             if not chunked:

    → 489│                 resp = conn.urlopen(

      490│                     method=request.method,

      491│                     url=url,

 

  1  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:787 in urlopen

       785│                 e = ProtocolError("Connection aborted.", e)

       786│

    →  787│             retries = retries.increment(

       788│                 method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]

       789│             )

 

  MaxRetryError

 

  HTTPSConnectionPool(host='[pypi.org](http://pypi.org/)', port=443): Max retries exceeded with url: /pypi/pysmb/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

 

  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\util\retry.py:592 in increment

      588│             history=history,

      589│         )

      590│

      591│         if new_retry.is_exhausted():

    → 592│             raise MaxRetryError(_pool, url, error or ResponseError(cause))

      593│

      594│         log.debug("Incremented Retry for (url='%s'): %r", url, new_retry)

      595│

      596│         return new_retry

 

The following error occurred when trying to handle this error:

 

 

  Stack trace:

 

  25  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\application.py:329 in run

       327│

       328│             try:

     → 329│                 exit_code = self._run(io)

       330│             except Exception as e:

       331│                 if not self._catch_exceptions:

 

  24  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\console\application.py:185 in _run

       183│         self._load_plugins(io)

       184│

     → 185│         exit_code: int = super()._run(io)

       186│         return exit_code

       187│

 

  23  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\application.py:423 in _run

       421│             io.input.set_stream(stream)

       422│

     → 423│         exit_code = self._run_command(command, io)

       424│         self._running_command = None

       425│

 

  22  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\application.py:465 in _run_command

       463│

       464│         if error is not None:

     → 465│             raise error

       466│

       467│         return event.exit_code

 

  21  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\application.py:449 in _run_command

       447│

       448│             if event.command_should_run():

     → 449│                 exit_code = command.run(io)

       450│             else:

       451│                 exit_code = ConsoleCommandEvent.RETURN_CODE_DISABLED

 

  20  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\commands\base_command.py:119 in run

       117│         io.input.validate()

       118│

     → 119│         status_code = self.execute(io)

       120│

       121│         if status_code is None:

 

  19  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cleo\commands\command.py:83 in execute

        81│

        82│         try:

     →  83│             return self.handle()

        84│         except KeyboardInterrupt:

        85│             return 1

 

  18  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\console\commands\add.py:158 in handle

       156│             return 0

       157│

     → 158│         requirements = self._determine_requirements(

       159│             packages,

       160│             allow_prereleases=self.option("allow-prereleases"),

 

  17  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\console\commands\init.py:363 in _determine_requirements

       361│             elif "version" not in requirement:

       362│                 # determine the best version automatically

     → 363│                 name, version = self._find_best_version_for_package(

       364│                     requirement["name"],

       365│                     allow_prereleases=allow_prereleases,

 

  16  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\console\commands\init.py:398 in _find_best_version_for_package

       396│

       397│         selector = VersionSelector(self._get_pool())

     → 398│         package = selector.find_best_candidate(

       399│             name, required_version, allow_prereleases=allow_prereleases, source=source

       400│         )

 

  15  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\version\version_selector.py:39 in find_best_candidate

        37│             },

        38│         )

     →  39│         candidates = self._pool.find_packages(dependency)

        40│         only_prereleases = all(c.version.is_unstable() for c in candidates)

        41│

 

  14  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pool.py:181 in find_packages

       179│         packages = []

       180│         for repo in self._repositories:

     → 181│             packages += repo.find_packages(dependency)

       182│

       183│         return packages

 

  13  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\repository.py:46 in find_packages

        44│         ignored_pre_release_packages = []

        45│

     →  46│         for package in self._find_packages([dependency.name](http://dependency.name/), constraint):

        47│             if package.yanked and not isinstance(constraint, Version):

        48│                 # PEP 592: yanked files are always ignored, unless they are the only

 

  12  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pypi_repository.py:117 in _find_packages

       115│         """

       116│         try:

     → 117│             info = self.get_package_info(name)

       118│         except PackageNotFound:

       119│             self._log(

 

  11  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pypi_repository.py:105 in get_package_info

       103│             return self._get_package_info(name)

       104│

     → 105│         package_info: dict[str, Any] = self._cache.store("packages").remember_forever(

       106│             name, lambda: self._get_package_info(name)

       107│         )

 

  10  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cachy\repository.py:174 in remember_forever

       172│             return val

       173│

     → 174│         val = value(callback)

       175│

       176│         self.forever(key, val)

 

   9  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cachy\helpers.py:6 in value

         4│ def value(val):

         5│     if callable(val):

     →   6│         return val()

         7│

         8│     return val

 

   8  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pypi_repository.py:106 in <lambda>

       104│

       105│         package_info: dict[str, Any] = self._cache.store("packages").remember_forever(

     → 106│             name, lambda: self._get_package_info(name)

       107│         )

       108│         return package_info

 

   7  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pypi_repository.py:156 in _get_package_info

       154│

       155│     def _get_package_info(self, name: NormalizedName) -> dict[str, Any]:

     → 156│         data = self._get(f"pypi/{name}/json")

       157│         if data is None:

       158│             raise PackageNotFound(f"Package [{name}] not found.")

 

   6  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\repositories\pypi_repository.py:244 in _get

       242│     def _get(self, endpoint: str) -> dict[str, Any] | None:

       243│         try:

     → 244│             json_response = self.session.get(

       245│                 self._base_url + endpoint,

       246│                 raise_for_status=False,

 

   5  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\authenticator.py:246 in get

       244│

       245│     def get(self, url: str, **kwargs: Any) -> requests.Response:

     → 246│         return self.request("get", url, **kwargs)

       247│

       248│     def post(self, url: str, **kwargs: Any) -> requests.Response:

 

   4  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\authenticator.py:228 in request

       226│             except (requests.exceptions.ConnectionError, OSError) as e:

       227│                 if is_last_attempt:

     → 228│                     raise e

       229│             else:

       230│                 if resp.status_code not in [502, 503, 504] or is_last_attempt:

 

   3  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\authenticator.py:225 in request

       223│             is_last_attempt = attempt >= 5

       224│             try:

     → 225│                 resp = session.send(prepared_request, **send_kwargs)

       226│             except (requests.exceptions.ConnectionError, OSError) as e:

       227│                 if is_last_attempt:

 

   2  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\requests\sessions.py:701 in send

       699│

       700│         # Send the request

     → 701│         r = adapter.send(request, **kwargs)

       702│

       703│         # Total elapsed time of the request (approximately)

 

   1  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\cachecontrol\adapter.py:57 in send

        55│             request.headers.update(self.controller.conditional_headers(request))

        56│

     →  57│         resp = super(CacheControlAdapter, self).send(request, **kw)

        58│

        59│         return resp

 

  SSLError

 

  HTTPSConnectionPool(host='[pypi.org](http://pypi.org/)', port=443): Max retries exceeded with url: /pypi/pysmb/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

 

  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\requests\adapters.py:563 in send

      559│                 raise ProxyError(e, request=request)

      560│

      561│             if isinstance(e.reason, _SSLError):

      562│                 # This branch is for urllib3 v1.22 and later.

    → 563│                 raise SSLError(e, request=request)

      564│

      565│             raise ConnectionError(e, request=request)

      566│

      567│         except ClosedPoolError as e:

So I tried running poetry config certificates.pypi.cert false where pypi is the name of the default pypi repo.

However even after setting this, I still get:

HTTPSConnectionPool(host='[pypi.org](http://pypi.org/)', port=443): Max retries exceeded with url: /pypi/pysmb/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

I've tried modifying the source code of requests and hardcoding verify = False around the send method, and this works haha. How can I get poetry to ignore SSL using already built-in functionality? Yes I know I'm vulnerable to man-in-the-middle attacks by doing that, but the question is how to do it, not if it's a good idea or not :)

[dimbleby]

Poetry calls the pypi repository "PyPI", not "pypi"

[brno32]

Poetry calls the pypi repository "PyPI", not "pypi"

I tried poetry config certificates.PyPI.cert false but I'm still getting the same error, but thanks for pointing this out!

[dimbleby]

You sure about that?

If I poetry config certificates.PyPI.cert false and clear my cache and poetry lock then I get a lot of warnings like

InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

which surely implies that this is doing the expected thing?

[Ninpo]

So overriding where pypi resolves in my hosts file to my own webserver that's listening on 443:
poetry config certificates.PyPI.cert false

$ poetry add pendulum
Creating virtualenv poetry-demo-p6kiKZzv-py3.10 in /home/ninpo/.cache/pypoetry/virtualenvs
/home/ninpo/.local/share/pypoetry/venv/lib/python3.10/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

Could not find a matching version of package pendulum

Looking at my web logs:
[02/Oct/2022:15:31:42 +0000] "GET /pypi/pendulum/json HTTP/1.1" 404 146 "-" "python-requests/2.28.1" "-"

So this does appear to work as @dimbleby mentions.

[brno32]

Indeed I get the warnings, but I still get the same error.

> poetry add pysmb
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Using version ^1.2.8 for pysmb

Updating dependencies
Resolving dependencies...
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/b5/68/571a613a8da7f4a0265e90a31dada45ec79c6110a55c4174bc677edd64ee/pysmb-1.2.8.zip (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)')))

This is probably due to whatever is going on with my company's corporate firewall, but nevertheless I'm able to get regular ol' pip to work. I also had the same problem with pipenv and got it to work by modifying its source code to override verify = False before it sends any request. I'm wondering how to do the same with poetry, which is my preferred tool.

We're using a self-signed certificate, hence [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129). Does poetry not have a way around that?

[neersighted]

It sounds like Poetry may work with untrusted CAs but not self-signed certificates, which would explain why this keeps popping up and the team keeps on being unable to reproduce it. I would suggest a PR that ensures we allow self-signed certificates as well, if requests indeed handles them differently.

[dimbleby]

The second error is not the same error at all: files.pythonhosted.org is not pypi.org

[neersighted]

🤦🏼 good catch @dimbleby -- the issue is that PyPI hosts files on a different domain.

[brno32]

So I've successfully disabled SSL for pypi.org, but not files.pythonhosted.org? If so that makes sense. Does this separate domain count as a repository which would have an alias I'm able to bypass via poetry config certificates.<repo name>.cert false?

[dimbleby]

you have a repro and so better placed than we are to answer such questions - try it!

(and let us know the answer)

[neersighted]

You could add a publishing repository for the sole purpose of disabling verification, which I think should work.

In the long run, I'm not sure how to solve this in an intuitive way yet.

poetry config repositories.FPHO https://files.pythonhosted.org
poetry config certificates.FPHO.cert false

[brno32]

poetry config certificates.FPHO.cert false

This got me much farther! Thanks for the idea 🙇

> poetry add pysmb
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Using version ^1.2.8 for pysmb

Updating dependencies
Resolving dependencies...
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'files.pythonhosted.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'pypi.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
C:\Users\me\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 'files.pythonhosted.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

Writing lock file

Package operations: 1 install, 0 updates, 0 removals

  - Installing pysmb (1.2.8)

Command D:\myrepo\venv\Scripts\python.exe -m pip install --no-deps -r C:\Users\me\AppData\Local\Temp\1\pysmb-1.2.8lbngzoy5reqs.txt errored with the following return code 2, and output:
ERROR: Exception:
Traceback (most recent call last):
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\cli\base_command.py", line 167, in exc_logging_wrapper
    status = run_func(*args)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\cli\req_command.py", line 247, in wrapper
    return func(self, options, args)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\commands\install.py", line 369, in run
    requirement_set = resolver.resolve(
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\resolution\resolvelib\resolver.py", line 92, in resolve
    result = self._result = resolver.resolve(
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 481, in resolve
    state = resolution.resolve(requirements, max_rounds=max_rounds)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 348, in resolve
    self._add_to_criteria(self.state.criteria, r, parent=None)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 172, in _add_to_criteria
    if not criterion.candidates:
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\resolvelib\structs.py", line 151, in __bool__
    return bool(self._sequence)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 155, in __bool__
    return any(self)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 143, in <genexpr>
    return (c for c in iterator if id(c) not in self._incompatible_ids)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 44, in _iter_built
    for version, func in infos:
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\resolution\resolvelib\factory.py", line 279, in iter_index_candidate_infos        
    result = self._finder.find_best_candidate(
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\package_finder.py", line 889, in find_best_candidate
    candidates = self.find_all_candidates(project_name)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\package_finder.py", line 830, in find_all_candidates
    page_candidates = list(page_candidates_it)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\sources.py", line 134, in page_candidates
    yield from self._candidates_from_page(self._link)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\package_finder.py", line 790, in process_project_url
    index_response = self._link_collector.fetch_response(project_url)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\collector.py", line 577, in fetch_response
    return _get_index_content(location, session=self.session)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\collector.py", line 481, in _get_index_content
    resp = _get_simple_response(url, session=session)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\index\collector.py", line 138, in _get_simple_response
    resp = session.get(
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\requests\sessions.py", line 600, in get
    return self.request("GET", url, **kwargs)
  File "D:\myrepo\venv\lib\site-packages\pip\_internal\network\session.py", line 518, in request
    return super().request(method, url, *args, **kwargs)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\requests\sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\requests\sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\cachecontrol\adapter.py", line 57, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\requests\adapters.py", line 489, in send
    resp = conn.urlopen(
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "D:\myrepo\venv\lib\site-packages\pip\_vendor\urllib3\connection.py", line 401, in connect
    context.verify_mode = resolve_cert_reqs(self.cert_reqs)
  File "C:\Users\me\AppData\Local\Programs\Python\Python39\lib\ssl.py", line 721, in verify_mode
    super(SSLContext, SSLContext).verify_mode.__set__(self, value)
ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

So I guess poetry isn't setting check_hostname to False in urllib?

[neersighted]

That traceback came from pip, which in turn uses requests and never directly touches urllib.

[neersighted]

Looks like an issue with our usage of pip instead -- though I'm not sure why a temporary requirements file is in use. Are you using the old installer?

[brno32]

I used (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py - which looks like it's the new installer, right?

[neersighted]

I'm referring to poetry config experimental.new-installer false -- you can dump your current config with poetry config --list.

[brno32]

> poetry config --list
cache-dir = "C:\\Users\\me\\AppData\\Local\\pypoetry\\Cache"
certificates.FPHO.cert = false
certificates.PyPI.cert = false
experimental.new-installer = false
experimental.system-git-client = false
installer.max-workers = null
installer.no-binary = null
installer.parallel = true
repositories.FPHO.url = "https://files.pythonhosted.org"
virtualenvs.create = true
virtualenvs.in-project = null
virtualenvs.options.always-copy = false
virtualenvs.options.no-pip = false
virtualenvs.options.no-setuptools = false
virtualenvs.options.system-site-packages = false
virtualenvs.path = "{cache-dir}\\virtualenvs"  # C:\Users\me\AppData\Local\pypoetry\Cache\virtualenvs
virtualenvs.prefer-active-python = false
virtualenvs.prompt = "{project_name}-py{python_version}"

Looks like I am in fact using the old installer. Settings this to true, though, still yields the same error regarding ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.

[neersighted]

Odd -- the full traceback with poetry config experimental.new-installer true would be very valuable as Poetry should do all the network requests. With the new installer, we only feed pip a collection of files on disk.

[brno32]

Absolutely. Here is with new-installer set to True

> poetry add pysmb -vvv
Loading configuration file C:\Users\me\AppData\Roaming\pypoetry\config.toml
Loading configuration file C:\Users\me\AppData\Roaming\pypoetry\auth.toml
Using virtualenv: D:\myrepo\venv
[keyring.backend] Loading KWallet
[keyring.backend] Loading SecretService
[keyring.backend] Loading Windows
[keyring.backend] Loading chainer
[keyring.backend] Loading libsecret
[keyring.backend] Loading macOS
Creating new session for pypi.org
Source (PyPI): 45 packages found for pysmb *
Using version ^1.2.8 for pysmb

Updating dependencies
Resolving dependencies...
   1: fact: poetry-certs-not-working is 2.0.0
   1: derived: poetry-certs-not-working
   1: fact: poetry-certs-not-working depends on pysmb (^1.2.8)
   1: selecting poetry-certs-not-working (2.0.0)
   1: derived: pysmb (>=1.2.8,<2.0.0)
Source (PyPI): 1 packages found for pysmb >=1.2.8,<2.0.0
   1: fact: pysmb (1.2.8) depends on pyasn1 (*)
   1: selecting pysmb (1.2.8)
   1: derived: pyasn1
   1: selecting pyasn1 (0.4.8)
   1: Version solving took 0.014 seconds.
   1: Tried 1 solutions.

Finding the necessary packages for the current system
Source (poetry-repo): 1 packages found for pysmb >=1.2.8,<2.0.0

Package operations: 1 install, 0 updates, 0 removals, 1 skipped

  • Installing pyasn1 (0.4.8): Skipped for the following reason: Already installed
  • Installing pysmb (1.2.8)

  Stack trace:

  2  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\env.py:1472 in _run
      1470│                 )
      1471│             else:
    → 1472│                 output = subprocess.check_output(
      1473│                     command, stderr=subprocess.STDOUT, env=env, **kwargs
      1474│                 )

  1  ~\AppData\Local\Programs\Python\Python39\lib\subprocess.py:424 in check_output
       422│         kwargs['input'] = empty
       423│ 
    →  424│     return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
       425│                **kwargs).stdout
       426│

  CalledProcessError

  Command 'D:\myrepo\venv\Scripts\python.exe -m pip install --use-pep517 --disable-pip-version-check --prefix D:\myrepo\venv --no-deps C:\Users\me\AppData\Local\pypoetry\Cache\artifacts\08\66\7b\1a9492a47005b40f397a38657516036bfc2103d6a0c48185056aa85a00\pysmb-1.2.8.zip' returned non-zero exit status 1.

  at ~\AppData\Local\Programs\Python\Python39\lib\subprocess.py:528 in run
       524│             # We don't call process.wait() as .__exit__ does that for us.
       525│             raise
       526│         retcode = process.poll()
       527│         if check and retcode:
    →  528│             raise CalledProcessError(retcode, process.args,
       529│                                      output=stdout, stderr=stderr)
       530│     return CompletedProcess(process.args, retcode, stdout, stderr)
       531│
       532│

The following error occurred when trying to handle this error:


  Stack trace:

  3  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\pip.py:49 in pip_install
       47│
       48│     try:
    →  49│         return environment.run_pip(*args)
       50│     except EnvCommandError as e:
       51│         raise PoetryException(f"Failed to install {path.as_posix()}") from e

  2  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\env.py:1435 in run_pip
      1433│         pip = self.get_pip_command()
      1434│         cmd = pip + list(args)
    → 1435│         return self._run(cmd, **kwargs)
      1436│
      1437│     def run_python_script(self, content: str, **kwargs: Any) -> int | str:

  1  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\env.py:1712 in _run
      1710│     def _run(self, cmd: list[str], **kwargs: Any) -> int | str:
      1711│         kwargs["env"] = self.get_temp_environ(environ=kwargs.get("env"))
    → 1712│         return super()._run(cmd, **kwargs)
      1713│
      1714│     def get_temp_environ(

  EnvCommandError

  Command D:\myrepo\venv\Scripts\python.exe -m pip install --use-pep517 --disable-pip-version-check --prefix D:\myrepo\venv --no-deps C:\Users\me\AppData\Local\pypoetry\Cache\artifacts\08\66\7b\1a9492a47005b40f397a38657516036bfc2103d6a0c48185056aa85a00\pysmb-1.2.8.zip 
errored with the following return code 1, and output:
  Processing c:\users\me\appdata\local\pypoetry\cache\artifacts\08\66\7b\1a9492a47005b40f397a38657516036bfc2103d6a0c48185056aa85a00\pysmb-1.2.8.zip
    Installing build dependencies: started
    Installing build dependencies: finished with status 'error'
    error: subprocess-exited-with-error

    pip subprocess to install build dependencies did not run successfully.
    exit code: 2

    [63 lines of output]
    ERROR: Exception:
    Traceback (most recent call last):
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\cli\base_command.py", line 167, in exc_logging_wrapper
        status = run_func(*args)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\cli\req_command.py", line 247, in wrapper
        return func(self, options, args)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\commands\install.py", line 369, in run
        requirement_set = resolver.resolve(
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\resolution\resolvelib\resolver.py", line 92, in resolve
        result = self._result = resolver.resolve(
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 481, in resolve
        state = resolution.resolve(requirements, max_rounds=max_rounds)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 348, in resolve
        self._add_to_criteria(self.state.criteria, r, parent=None)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\resolvelib\resolvers.py", line 172, in _add_to_criteria
        if not criterion.candidates:
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\resolvelib\structs.py", line 151, in __bool__
        return bool(self._sequence)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 155, in __bool__
        return any(self)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 143, in <genexpr>
        return (c for c in iterator if id(c) not in self._incompatible_ids)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py", line 44, in _iter_built
        for version, func in infos:
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py", line 279, in iter_index_candidate_infos    
        result = self._finder.find_best_candidate(
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\package_finder.py", line 889, in find_best_candidate
        candidates = self.find_all_candidates(project_name)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\package_finder.py", line 830, in find_all_candidates
        page_candidates = list(page_candidates_it)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\sources.py", line 134, in page_candidates
        yield from self._candidates_from_page(self._link)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\package_finder.py", line 790, in process_project_url
        index_response = self._link_collector.fetch_response(project_url)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\collector.py", line 577, in fetch_response
        return _get_index_content(location, session=self.session)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\collector.py", line 481, in _get_index_content
        resp = _get_simple_response(url, session=session)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\index\collector.py", line 138, in _get_simple_response
        resp = session.get(
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\requests\sessions.py", line 600, in get
        return self.request("GET", url, **kwargs)
      File "D:\myrepo\venv\Lib\site-packages\pip\_internal\network\session.py", line 518, in request
        return super().request(method, url, *args, **kwargs)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\requests\sessions.py", line 587, in request
        resp = self.send(prep, **send_kwargs)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\requests\sessions.py", line 701, in send
        r = adapter.send(request, **kwargs)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\cachecontrol\adapter.py", line 57, in send
        resp = super(CacheControlAdapter, self).send(request, **kw)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\requests\adapters.py", line 489, in send
        resp = conn.urlopen(
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 703, in urlopen
        httplib_response = self._make_request(
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 386, in _make_request
        self._validate_conn(conn)
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\urllib3\connectionpool.py", line 1042, in _validate_conn
        conn.connect()
      File "D:\myrepo\venv\Lib\site-packages\pip\_vendor\urllib3\connection.py", line 401, in connect
        context.verify_mode = resolve_cert_reqs(self.cert_reqs)
      File "C:\Users\me\AppData\Local\Programs\Python\Python39\lib\ssl.py", line 721, in verify_mode
        super(SSLContext, SSLContext).verify_mode.__set__(self, value)
    ValueError: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.
    [end of output]

    note: This error originates from a subprocess, and is likely not a problem with pip.
  error: subprocess-exited-with-error

  pip subprocess to install build dependencies did not run successfully.
  exit code: 2

  See above for output.

  note: This error originates from a subprocess, and is likely not a problem with pip.


  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\env.py:1476 in _run
      1472│                 output = subprocess.check_output(
      1473│                     command, stderr=subprocess.STDOUT, env=env, **kwargs
      1474│                 )
      1475│         except CalledProcessError as e:
    → 1476│             raise EnvCommandError(e, input=input_)
      1477│
      1478│         return decode(output)
      1479│
      1480│     def execute(self, bin: str, *args: str, **kwargs: Any) -> int:

The following error occurred when trying to handle this error:


  Stack trace:

  5  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\installation\executor.py:253 in _execute_operation
      251│ 
      252│             try:
    → 253│                 result = self._do_execute_operation(operation)
      254│             except EnvCommandError as e:
      255│                 if e.e.returncode == -2:

  4  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\installation\executor.py:326 in _do_execute_operation
      324│             return 0
      325│ 
    → 326│         result: int = getattr(self, f"_execute_{method}")(operation)
      327│
      328│         if result != 0:

  3  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\installation\executor.py:446 in _execute_install
      444│ 
      445│     def _execute_install(self, operation: Install | Update) -> int:
    → 446│         status_code = self._install(operation)
      447│
      448│         self._save_url_reference(operation)

  2  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\installation\executor.py:488 in _install
      486│         )
      487│         self._write(operation, message)
    → 488│         return self.pip_install(archive, upgrade=operation.job_type == "update")
      489│
      490│     def _update(self, operation: Install | Update) -> int:

  1  ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\installation\executor.py:123 in pip_install
      121│     ) -> int:
      122│         try:
    → 123│             pip_install(req, self._env, upgrade=upgrade, editable=editable)
      124│         except EnvCommandError as e:
      125│             output = decode(e.e.output)

  PoetryException

  Failed to install C:/Users/me/AppData/Local/pypoetry/Cache/artifacts/08/66/7b/1a9492a47005b40f397a38657516036bfc2103d6a0c48185056aa85a00/pysmb-1.2.8.zip

  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\poetry\utils\pip.py:51 in pip_install
       47│
       48│     try:
       49│         return environment.run_pip(*args)
       50│     except EnvCommandError as e:
    →  51│         raise PoetryException(f"Failed to install {path.as_posix()}") from e
       52│

[neersighted]

This is the output I expected -- thanks! It's clear now that everything in Poetry works as expected. The edge case we're now hitting is the interaction of building a sdist using pip when pip is unaware of Poetry authentication settings.

[brno32]

Thank you for looking! Very much appreciated

[neersighted]

Also, I'm migrating this to a discussion as it has become clear this is more of a how-to/discussion on how we can make this use case easier, as PyPI's modern architecture works across multiple domains.

[brno32]

understood. thank you 🙇

[dimbleby]

As you can see, poetry here is just shelling out to pip: this error should reproduce if you run the same pip command directly.

Probably it's something in your environment or pip.conf that is making it unhappy. I guess maybe you've tried a few things to get this working... anyway #6531 should now be isolating pip from such things.

[neersighted]

I think it's actually the opposite -- because we have --isolated now, we need to tell pip what hosts are trusted. The issue is that this is a sdist build and we're running into certificate issues when pip tries to install the build requirements.

I'm not sure we can solve this until #5650 (but extended to sdist builds of deps) or a #6205 is merged, as trying to pass this through as flags to pip seems fraught.

[dimbleby]

poetry should have downloaded the file already and be installing it from a local copy at this point shouldn't it?

[neersighted]

(but given this is the old invocation without --isolated, adding a trusted-host to pip.conf should work temporarily, until that fix is released)

[neersighted]

poetry should have downloaded the file already and be installing it from a local copy at this point shouldn't it?

Yes, and that's what is happening. However, Poetry is installing a sdist from a file with --use-pep517 which requires pip to install the build-system.requires externally to Poetry.

[brno32]

Not sure I follow. A regular old pip install does work for me assuming I've run pip install --upgrade --trusted-host pypi.python.org --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools wheel python-certifi-win32. This suggests poetry isn't just forwarding instructions to pip and it's not taking into account my trusted hosts or the fact that python-certifi-win32 is installed.

[neersighted]

What @dimbleby is suggesting is that if you run the pip invocation that Poetry uses faithfully, it will fail as well, as the issue is occurring at the pip-Poetry boundary:

D:\myrepo\venv\Scripts\python.exe -m pip install --use-pep517 --disable-pip-version-check --prefix D:\myrepo\venv --no-deps C:\Users\me\AppData\Local\pypoetry\Cache\artifacts\08\66\7b\1a9492a47005b40f397a38657516036bfc2103d6a0c48185056aa85a00\pysmb-1.2.8.zip

Indeed, pip here is unaware of any --trusted-host you might use in another invocation as there is no persistence of command line flags! You can add --trusted-host to pip.conf as per the docs and Poetry will respect it for now (we're adding --isolated in the future, which will ignore this config file).

Alternatively, you can add python-certifi-win32 to your target virtual environment -- you could poetry add it to add it to your deps, or inject it externally to Poetry with D:\myrepo\venv\Scripts\python.exe -m pip install. Poetry installs with the pip that is in your target virtual environment, and not the system pip/system environment, hence this distinction.

Eventually #6205 will solve this -- pip is currently an implementation detail of Poetry and we are working to break our dependence.

It may be worth exploring if we can pass --trusted-host to our invocations of pip without tying the code into too many knots -- that would be a very clean and actionable feature request.

[neersighted]

It's because Poetry is using a different copy of pip -- pip.exe is not the same as D:\path\to\env\pip.exe -- they are different files.

pysmb is putting up a fight because it doesn't provide wheels for your platform and thus you must build it from source. A source build with --use-pep517 is causing pip to install the build-system.requires specified by the pysmb build system, and it is ignorant of Poetry's trust settings.

[brno32]

pip.exe is not the same as D:\path\to\env\pip.exe

Okay this made it clear for me. poetry is using the global pip and not the pip inside of my virtual environment like I was expecting it to. I install python-certifi-win32 globally and was then able to poetry add pysmb. Combined with all the aforementioned stuff above, I think this is the solution.

Did I understand you correctly? I greatly appreciate the help 🙇

[neersighted]

Poetry should be using the pip in poetry env info --path, not the 'global' pip, but otherwise yes, you are correct.

[neersighted]

Also, see #3249 for more on this

[ansraliant]

I come from a similar env, with work certs needed to be there. The package python-certifi-win32 is now pip-system-certs. Once that package is installed and pip uses the system store, all the related SSL issues of pip and hence poetry are gone.

Just a quick note if anyone stumbles upon this thread for similar issues.