Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup Python is failing with unable to get local issuer certificate error #987

Open
2 of 5 tasks
chandrakanthbala opened this issue Dec 17, 2024 · 2 comments
Open
2 of 5 tasks
Assignees
Labels
bug Something isn't working

Comments

@chandrakanthbala
Copy link

Description:
We are using self-hosted runners with GitHub Enterprise Cloud, and our enterprise is behind a proxy that requires a certificate for applications to communicate with the internet. When we try to install the setup-python, it fails with the error "unable to get local issuer certificate." How can we provide our proxy certificate to the setup-python job? Is there a way to configure pip to use system certificates?

Action version:
5.3.0

Platform:

  • Ubuntu
  • macOS
  • Windows

Runner type:

  • Hosted
  • Self-hosted

Tools version:
All

Repro steps:

  1. Use setup-python action in workflow
  2. Run workflow

Expected behavior:
The specified Python version should be available for the workflow in the following steps.

Actual behavior:
Setup-python failing with below error.

Version 3.10.16 was not found in the local cache
Version 3.10.16 is available for downloading
Download from "https:/github.com/actions/python-versions/releases/download/3.10.16-12302993382/python-3.10.16-1inux-22.04-x64.tar-gZ"
Extract downloaded archive
/us/bin/tar xz --warning=no-unknown-keyword --overwrite -C /_w/_temp/35258474-fb58-47ec-98d0-e5e7a4a3c88c -f/_w/_temp/ecbac867-76f1-457c-a98d-e3417c786295
Execute installation script
Check if Python hostedtoolcache folder exist...
Creating Python hostedtoolcache folder...
Create Python 3.10.16 folder
Copy Python binaries to hostedtoolcache folder
Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
Upgrading pip...
Looking in links: /tmp/tmpt_3vpy3m
Requirement already satisfied: setuptools in /_w/_tool/Python/3.10.16/x64/lib/python3.10/site-packages (65.5.0)
Requirement already satisfied: pip in /_w/_tool/Python/3.10.16/x64/Lib/python3.10/site-packages (23.0.1)
Error: WARNING: Running pip asiche root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warning/venv
Error: WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Could not fetch URI https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool (host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLErTOr (SSLCertVerificationError (1, '[SSI: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl. c:1007) '))) - skipping
Error: ERROR: Could not find a version that satisfies the requirement pip (from versions: none)
Error: ERROR: No matching distribution found for pip
Error: The process '/usr/bin/bash' failed with exit code 1
@chandrakanthbala chandrakanthbala added bug Something isn't working needs triage labels Dec 17, 2024
@gowridurgad
Copy link
Contributor

Hello @chandrakanthbala,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

@priyagupta108 priyagupta108 self-assigned this Dec 18, 2024
@priyagupta108
Copy link
Contributor

priyagupta108 commented Dec 23, 2024

Hello @chandrakanthbala,
To resolve the SSL certificate verification error when using self-hosted runners behind a proxy, follow these steps to configure pip to use your proxy certificates:

  1. Ensure OpenSSL is Installed:
    Make sure the self-hosted runner environment has OpenSSL libraries installed.

  2. Install Proxy Certificate:
    Ensure the proxy's certificate is available and trusted by the system. Copy the proxy's certificate to the system's trusted certificates directory and update the certificates:

    sudo cp /path/to/proxy-certificate.crt /usr/local/share/ca-certificates/
    sudo update-ca-certificates
  3. Configure pip to use the Proxy Certificate:
    You can create a pip.conf file in the runner environment to use the system certificates. Add the following to the pip.conf file:

    [global]
    cert = /path/to/your/proxy/certificate.crt

    Refer to pip configuration files for how to locate your pip.conf, or where to put it if you need to create one.

  4. Use the REQUESTS_CA_BUNDLE Environment Variable:
    Set the REQUESTS_CA_BUNDLE environment variable to point to your proxy certificate. Add the following step before the setup-python action in your workflow YAML:

    steps:
      - name: Set up proxy certificate
        run: echo "REQUESTS_CA_BUNDLE=/path/to/your/proxy/certificate.crt" >> $GITHUB_ENV
      - uses: actions/setup-python@v5
        with:
          python-version: '3.10'

    Replace /path/to/your/proxy/certificate.crt with the actual path to your proxy certificate.

By following these steps, you should be able to configure the setup-python action to use the proxy certificate and resolve the SSL certificate verification error.

Additionally, could you please confirm whether you are experiencing this issue with Python version 3.10.15 as well, or is it only occurring with version 3.10.16? Also, could you provide more details about the self-hosted runner you are using? Specifically, are you using a containerized environment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants