3

When trying to upload a python custom package to our internal registry its failing with the following error.

 urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='custom-nexus.com’, port=443): Max retries exceeded with url: /repository/pypi-internal/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

But the same url works fine when accessed through curl. Using curl -v option found that the ca-bundle used was in the location /etc/pki/tls/certs/ca-bundle.crt

So tried providing this in the twine upload command using the --cert option. But then also its not working and failing with the same error.

twine upload --config-file .pypirc   --cert /etc/pki/tls/certs/ca-bundle.crt  -r pypi dist/*

Python version used is 3.6. Please find below the list of library versions. 

certifi==2020.4.5
setuptools==46.1.3
wheel==0.34.2
twine==3.1.1
pyOpenSSL==19.1.0
Improve this question

3 Answers 3

Reset to default
4

For some reason it didnt work for me even after providing the certificate using --cert option. Might be some issue with the certificate. Then I came across the below hack to skip ssl verification in python requests library

Disable Python requests SSL validation for an imported module

(For anyone who doesn't know, TWINE under the hood also uses python requests library)

Following this, I tried the below command and it worked!

export CURL_CA_BUNDLE="" && twine upload ...
Improve this answer
0

I just posted on another thread that setting CURL_CA_BUNDLE to an empty string doesn't seem to work anymore; but setting it to the .crt file itself does work for me. Granted, I had a cert that was working fine in the browser and probably via curl like in the OP example.

Improve this answer
0

The option to disable certificate verification was removed in requests==2.28.0 since it was considered a bug.

A workaround therefore is to install requests==2.27.0 before pushing to the registry.

pip install requests==2.27.0     
export CURL_CA_BUNDLE="" && twine upload ...
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.