Bug 196357

Summary: lang/python27: SSL certificate verification error, Python not finding SSL pem file
Product: Ports & Packages Reporter: Tony Narlock <tony>
Component: Individual Port(s)Assignee: Kubilay Kocak <koobs>
Status: Closed FIXED    
Severity: Affects Many People CC: lukasz
Priority: Normal Keywords: easy, regression
Version: LatestFlags: koobs: maintainer-feedback+
Hardware: Any   
OS: Any   
Bug Depends on: 196431    
Bug Blocks:    
Attachments:
Description Flags
Info on installed python package none

Description Tony Narlock 2014-12-29 17:20:58 UTC 
Created attachment 151077 [details]
Info on installed python package

So far I haven't been able to find ticket shows this behavior. I'm also trying to determine whether or not this is a bug, because I think that ports are supposed to install their dependencies to /usr/local (expected behavior?)

http://unix.stackexchange.com/questions/176294/what-should-i-do-about-python-2-7-9-not-looking-for-ssl-certificates-in-the-righ

I got this when using `python setup.py register`.

> $ python setup.py register
> running register
> running egg_info
> writing requirements to tmuxp.egg-info/requires.txt
> writing tmuxp.egg-info/PKG-INFO
> writing top-level names to tmuxp.egg-info/top_level.txt
> writing dependency_links to tmuxp.egg-info/dependency_links.txt
> writing entry points to tmuxp.egg-info/entry_points.txt
> reading manifest file 'tmuxp.egg-info/SOURCES.txt'
> reading manifest template 'MANIFEST.in'
> warning: no files found matching 'package_metadata.py'
> writing manifest file 'tmuxp.egg-info/SOURCES.txt'
> running check
> warning: check: Could not finish the parsing.

> Registering tmuxp to https://pypi.python.org/pypi
> Server response (500): <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] 
> certificate verify failed (_ssl.c:581)>

I can fix it by using 

> sudo ln -s /usr/local/etc/ssl/cert.pem /etc/ssl/cert.pem

As mentioned in the stackexchange post. Another commenter there also said they didn't find an issue for this. I'd guess some (possibly many) people are experiencing this. 

> $ which python
> /usr/local/bin/python
> tony at x230 in /tmp 
> $ /usr/local/bin/python --version
> Python 2.7.9
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2014-12-29 17:20:58 UTC 
Auto-assigned to maintainer python@FreeBSD.org
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2014-12-30 00:03:54 UTC 
Thank you for the report Tony
Comment 3 Antoine Brodin freebsd_committer freebsd_triage 2014-12-30 07:11:19 UTC 
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/ssl/certs')

Another workaround is to set environment variable SSL_CERT_FILE to /usr/local/etc/ssl/cert.pem
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2015-01-02 07:21:50 UTC 
Blocking bug 196431 covers Ports OpenSSL
Blocking bug 189811 covers Base OpenSSL
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2015-02-09 09:49:30 UTC 
Author: koobs
Date: Mon Feb  9 09:44:29 UTC 2015
New revision: 378720
URL: https://svnweb.freebsd.org/changeset/ports/378720

Log:
  security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers

  Since 2.7.9, Python verifies SSL certificates by default. Currently,
  even with security/ca_root_nss installed, Python fails certificate
  verification.

  Upon investigation, Python uses OpenSSL's standard
  SSL_CTX_load_verify_locations function to load a list of CA root
  certificates.

  Support was added to ca_root_nss for "out of the box" certificate
  verification for a number of base utilities in r372629 [1], but this
  did not include support for software that uses OpenSSL's
  SSL_CTX_load_verify_locations function.

  [1] https://svnweb.freebsd.org/changeset/ports/372629

  OpenSSL defaults (at compile time) to the following paths and filenames
  for certificate and CAFile lookup:

  Base:
    SSL_CERT_DIR=/etc/ssl/certs
    SSL_CERT_FILE/etc/ssl/cert.pem

  Ports:
    SSL_CERT_DIR=/usr/local/openssl/certs
    SSL_CERT_FILE=/usr/local/openssl/cert.pem

  This change installs a symlink which points to the root certificate
  bundle in the location that OpenSSL from ports looks for them.

  This allows any and all software utilising SSL_CTX_load_verify_locations
  function to verify SSL certificates by default after installation of
  this package.

  Additionally, display a pkg-message to the user about the lack of
  warranty associated with these certificates.

  Note: This is *NOT* related to solving for SSL certificate verification
  for OpenSSL in Base, which is covered in bug 189811.

  While I'm here:

  - Add LICENSE
  - Use options helpers and OPTIONS_SUB
  - Fix typo in !!! message !!!

  PR: 196431
  Submitted by:	koobs
  Reviewed by:	jbeich
  Approved by:	maintainer timeout (1 month)

Changes:
  head/security/ca_root_nss/Makefile
  head/security/ca_root_nss/files/pkg-message.in
  head/security/ca_root_nss/pkg-plist
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-06-06 07:42:13 UTC 
A commit references this bug:

Author: koobs
Date: Sat Jun  6 07:41:52 UTC 2015
New revision: 388657
URL: https://svnweb.freebsd.org/changeset/ports/388657

Log:
  security/ca_root_nss: Enable certificate verification (for Base OpenSSL)

  Enable the ETCSYMLINK option so that SSL certificate verification is
  enabled by default for OpenSSL in base.

  This change is the third in a set of changes [1][2] that improves the
  default configuration and behaviour of client software relying on
  OpenSSL for SSL/TLS and certificate verification.

  A symlink is installed which points to the root certificate bundle in
  the location that OpenSSL in base looks for them, as configured at build
  time [2].

  This allows any and all software utilising SSL_CTX_load_verify_locations
  function to verify SSL certificates by default after installation of
  this package.

  [1] https://svnweb.freebsd.org/changeset/ports/372629
  [2] https://svnweb.freebsd.org/changeset/ports/378720

  PR:		189811 196357
  Requested by:	many
  Submitted by:	dreamcat4 gmail com
  Approved by:	maintainer timeout (>1 year)

Changes:
  head/security/ca_root_nss/Makefile
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-06 07:48:19 UTC 
Bug 189811 has been resolved (but remains open for further changes) and no longer blocks this issue.

After ports revision 388657 [1], Python will verify certificates both with OpenSSL from base *and* ports successfully, along with any other software that uses the same OpenSSL functions.

[1] https://svnweb.freebsd.org/changeset/ports/388657