Bug 196357 - lang/python27: SSL certificate verification error, Python not finding SSL pem file
Summary: lang/python27: SSL certificate verification error, Python not finding SSL pem...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kubilay Kocak
Keywords: easy, regression
Depends on: 196431
  Show dependency treegraph
Reported: 2014-12-29 17:20 UTC by Tony Narlock
Modified: 2015-06-06 07:48 UTC (History)
1 user (show)

See Also:
koobs: maintainer-feedback+

Info on installed python package (835 bytes, text/plain)
2014-12-29 17:20 UTC, Tony Narlock
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Narlock 2014-12-29 17:20:58 UTC
Created attachment 151077 [details]
Info on installed python package

So far I haven't been able to find ticket shows this behavior. I'm also trying to determine whether or not this is a bug, because I think that ports are supposed to install their dependencies to /usr/local (expected behavior?)


I got this when using `python setup.py register`.

> $ python setup.py register
> running register
> running egg_info
> writing requirements to tmuxp.egg-info/requires.txt
> writing tmuxp.egg-info/PKG-INFO
> writing top-level names to tmuxp.egg-info/top_level.txt
> writing dependency_links to tmuxp.egg-info/dependency_links.txt
> writing entry points to tmuxp.egg-info/entry_points.txt
> reading manifest file 'tmuxp.egg-info/SOURCES.txt'
> reading manifest template 'MANIFEST.in'
> warning: no files found matching 'package_metadata.py'
> writing manifest file 'tmuxp.egg-info/SOURCES.txt'
> running check
> warning: check: Could not finish the parsing.

> Registering tmuxp to https://pypi.python.org/pypi
> Server response (500): <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] 
> certificate verify failed (_ssl.c:581)>

I can fix it by using 

> sudo ln -s /usr/local/etc/ssl/cert.pem /etc/ssl/cert.pem

As mentioned in the stackexchange post. Another commenter there also said they didn't find an issue for this. I'd guess some (possibly many) people are experiencing this. 

> $ which python
> /usr/local/bin/python
> tony at x230 in /tmp 
> $ /usr/local/bin/python --version
> Python 2.7.9
Comment 1 Bugzilla Automation freebsd_committer 2014-12-29 17:20:58 UTC
Auto-assigned to maintainer python@FreeBSD.org
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2014-12-30 00:03:54 UTC
Thank you for the report Tony
Comment 3 Antoine Brodin freebsd_committer 2014-12-30 07:11:19 UTC
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/ssl/certs')

Another workaround is to set environment variable SSL_CERT_FILE to /usr/local/etc/ssl/cert.pem
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2015-01-02 07:21:50 UTC
Blocking bug 196431 covers Ports OpenSSL
Blocking bug 189811 covers Base OpenSSL
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2015-02-09 09:49:30 UTC
Author: koobs
Date: Mon Feb  9 09:44:29 UTC 2015
New revision: 378720
URL: https://svnweb.freebsd.org/changeset/ports/378720

  security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers

  Since 2.7.9, Python verifies SSL certificates by default. Currently,
  even with security/ca_root_nss installed, Python fails certificate

  Upon investigation, Python uses OpenSSL's standard
  SSL_CTX_load_verify_locations function to load a list of CA root

  Support was added to ca_root_nss for "out of the box" certificate
  verification for a number of base utilities in r372629 [1], but this
  did not include support for software that uses OpenSSL's
  SSL_CTX_load_verify_locations function.

  [1] https://svnweb.freebsd.org/changeset/ports/372629

  OpenSSL defaults (at compile time) to the following paths and filenames
  for certificate and CAFile lookup:



  This change installs a symlink which points to the root certificate
  bundle in the location that OpenSSL from ports looks for them.

  This allows any and all software utilising SSL_CTX_load_verify_locations
  function to verify SSL certificates by default after installation of
  this package.

  Additionally, display a pkg-message to the user about the lack of
  warranty associated with these certificates.

  Note: This is *NOT* related to solving for SSL certificate verification
  for OpenSSL in Base, which is covered in bug 189811.

  While I'm here:

  - Use options helpers and OPTIONS_SUB
  - Fix typo in !!! message !!!

  PR: 196431
  Submitted by:	koobs
  Reviewed by:	jbeich
  Approved by:	maintainer timeout (1 month)

Comment 6 commit-hook freebsd_committer 2015-06-06 07:42:13 UTC
A commit references this bug:

Author: koobs
Date: Sat Jun  6 07:41:52 UTC 2015
New revision: 388657
URL: https://svnweb.freebsd.org/changeset/ports/388657

  security/ca_root_nss: Enable certificate verification (for Base OpenSSL)

  Enable the ETCSYMLINK option so that SSL certificate verification is
  enabled by default for OpenSSL in base.

  This change is the third in a set of changes [1][2] that improves the
  default configuration and behaviour of client software relying on
  OpenSSL for SSL/TLS and certificate verification.

  A symlink is installed which points to the root certificate bundle in
  the location that OpenSSL in base looks for them, as configured at build
  time [2].

  This allows any and all software utilising SSL_CTX_load_verify_locations
  function to verify SSL certificates by default after installation of
  this package.

  [1] https://svnweb.freebsd.org/changeset/ports/372629
  [2] https://svnweb.freebsd.org/changeset/ports/378720

  PR:		189811 196357
  Requested by:	many
  Submitted by:	dreamcat4 gmail com
  Approved by:	maintainer timeout (>1 year)

Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-06 07:48:19 UTC
Bug 189811 has been resolved (but remains open for further changes) and no longer blocks this issue.

After ports revision 388657 [1], Python will verify certificates both with OpenSSL from base *and* ports successfully, along with any other software that uses the same OpenSSL functions.

[1] https://svnweb.freebsd.org/changeset/ports/388657