1

I'm trying to add a new package using poetry add, but it always comes with this error:

HTTPSConnectionPool(host='10.140.240.64', port=443): Max retries exceeded with url: /api/v4/projects/118/packages/pypi/files/47f05b39ebe470235b70724fb049985ea75fad6c1a5007ad3462f3d430da338b/tg_client-0.1.10-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')))

Who knows how to skip this verification?

Updated:

I try to add a package from private repository:

[[tool.poetry.source]]
name = "my_package"
url = "https://..."
secondary = true

Maybe that is why the solution poetry config certificates.my_package.cert false doesn't work.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Alexander Shpindler
  • 811
  • 1
  • 11
  • 31
  • I checked and indeed the indicated solution is specific to the TLS / HTTPS connection, so that's not it. What I'm slightly curious about is the ".source" part, but maybe that's just me; I'm a security / TLS expert, not a poetry expert :| – Maarten Bodewes Dec 22 '22 at 02:14

3 Answers3

3

TL;DR

For every host that you see in error message, add a new fake repository and disable verification for it.

An relevant discussion on topic: https://github.com/orgs/python-poetry/discussions/6681

If you're doing this globally:

  • Add repo using poetry source add XYZ... or by editing config.toml.
  • Disable cert check using poetry config certificates.XYZ.cert false or by editing auth.toml

It might be possible to do the same for your specific project (pyproject.toml) instead of globally (config.toml and auth.toml). See poetry docs.

E.g.

  1. For me it started with host='pypi.org':

HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /packages/0b/fc/8781442def77b0aa22f63f266d4dadd486ebc0c5371d6290caf4320da4b7/setuptools-67.6.1-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]

  1. This was worked around by asking poetry to ignore cert verification for PyPI (not pypi). Using
$ poetry config certificates.PyPI.cert false
  1. Then I got same error for files.pythonhosted.org.
$ poetry source add fpho https://files.pythonhosted.org
$ poetry config certificates.fpho.cert false

Final environment:

$ 
$ export PYTHONWARNINGS="ignore:Unverified HTTPS request"
$ 
$ cat /home/kash/.config/pypoetry/config.toml 
[repositories]

[repositories.fpho]
url = "https://files.pythonhosted.org"

[repositories.my_host_240_64]
url = "10.140.240.64"

$ 
$ cat /home/kash/.config/pypoetry/auth.toml 

# apparently the brain-trust at poetry call pypi.org repo "PyPI",
# not pypi. And provide no apparent way to list the "default" repos.
[certificates.PyPI]
cert = false

[certificates.fpho]
cert = false

[certificates.my_host_240_64]
cert = false

$
$ poetry add <your package>
$
Kashyap
  • 15,354
  • 13
  • 64
  • 103
1

https://python-poetry.org/docs/repositories/#certificates:

The value of certificates.< repository >.cert can be set to false if certificate verification is required to be skipped. This is useful for cases where a package source with self-signed certificates are used.

poetry config certificates.foo.cert false
rasjani
  • 7,372
  • 4
  • 22
  • 35
  • It doesn't work. I updated the question. – Alexander Shpindler Dec 21 '22 at 16:00
  • your example in the question shows that you are setting the .cert to false *for the package* but the docs says that you need to add "secondary" source, set the cert to false for that *source* and add the package then from that *source* - If that does not work, try playing with CURL_CA_BUNDLE and DEFAULT_CA_BUNDLE .. – rasjani Dec 23 '22 at 08:12
1

I found 2 working solutions:

  1. Use poetry version<=1.0.9 and use CURL_CA_BUNDLE="" poetry install;
  2. Extract certificate from the repository as described here then copy-paste it in the end of file with path requests.utils.DEFAULT_CA_BUNDLE_PATH (python).
Alexander Shpindler
  • 811
  • 1
  • 11
  • 31