Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup Python is failing with unable to get local issuer certificate error #987

Open
2 of 5 tasks
chandrakanthbala opened this issue Dec 17, 2024 · 6 comments
Open
2 of 5 tasks
Assignees
Labels
bug Something isn't working

Comments

@chandrakanthbala
Copy link

Description:
We are using self-hosted runners with GitHub Enterprise Cloud, and our enterprise is behind a proxy that requires a certificate for applications to communicate with the internet. When we try to install the setup-python, it fails with the error "unable to get local issuer certificate." How can we provide our proxy certificate to the setup-python job? Is there a way to configure pip to use system certificates?

Action version:
5.3.0

Platform:

  • Ubuntu
  • macOS
  • Windows

Runner type:

  • Hosted
  • Self-hosted

Tools version:
All

Repro steps:

  1. Use setup-python action in workflow
  2. Run workflow

Expected behavior:
The specified Python version should be available for the workflow in the following steps.

Actual behavior:
Setup-python failing with below error.

Version 3.10.16 was not found in the local cache
Version 3.10.16 is available for downloading
Download from "https:/github.com/actions/python-versions/releases/download/3.10.16-12302993382/python-3.10.16-1inux-22.04-x64.tar-gZ"
Extract downloaded archive
/us/bin/tar xz --warning=no-unknown-keyword --overwrite -C /_w/_temp/35258474-fb58-47ec-98d0-e5e7a4a3c88c -f/_w/_temp/ecbac867-76f1-457c-a98d-e3417c786295
Execute installation script
Check if Python hostedtoolcache folder exist...
Creating Python hostedtoolcache folder...
Create Python 3.10.16 folder
Copy Python binaries to hostedtoolcache folder
Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
Upgrading pip...
Looking in links: /tmp/tmpt_3vpy3m
Requirement already satisfied: setuptools in /_w/_tool/Python/3.10.16/x64/lib/python3.10/site-packages (65.5.0)
Requirement already satisfied: pip in /_w/_tool/Python/3.10.16/x64/Lib/python3.10/site-packages (23.0.1)
Error: WARNING: Running pip asiche root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warning/venv
Error: WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Error: WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect-None, status-None)) after connection broken by 'SSLErIOI(SSICertVerificationError (1, ' [SSI: CERTIFICATE_VERIFY_FAILEDI certificate verify failed: unable to get local issuer certificate (_ss1.c:1007) '))': / simple/pip/
Could not fetch URI https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool (host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLErTOr (SSLCertVerificationError (1, '[SSI: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl. c:1007) '))) - skipping
Error: ERROR: Could not find a version that satisfies the requirement pip (from versions: none)
Error: ERROR: No matching distribution found for pip
Error: The process '/usr/bin/bash' failed with exit code 1
@chandrakanthbala chandrakanthbala added bug Something isn't working needs triage labels Dec 17, 2024
@gowridurgad
Copy link
Contributor

Hello @chandrakanthbala,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.

@priyagupta108 priyagupta108 self-assigned this Dec 18, 2024
@priyagupta108
Copy link
Contributor

priyagupta108 commented Dec 23, 2024

Hello @chandrakanthbala,
To resolve the SSL certificate verification error when using self-hosted runners behind a proxy, follow these steps to configure pip to use your proxy certificates:

  1. Ensure OpenSSL is Installed:
    Make sure the self-hosted runner environment has OpenSSL libraries installed.

  2. Install Proxy Certificate:
    Ensure the proxy's certificate is available and trusted by the system. Copy the proxy's certificate to the system's trusted certificates directory and update the certificates:

    sudo cp /path/to/proxy-certificate.crt /usr/local/share/ca-certificates/
    sudo update-ca-certificates
  3. Configure pip to use the Proxy Certificate:
    You can create a pip.conf file in the runner environment to use the system certificates. Add the following to the pip.conf file:

    [global]
    cert = /path/to/your/proxy/certificate.crt

    Refer to pip configuration files for how to locate your pip.conf, or where to put it if you need to create one.

  4. Use the REQUESTS_CA_BUNDLE Environment Variable:
    Set the REQUESTS_CA_BUNDLE environment variable to point to your proxy certificate. Add the following step before the setup-python action in your workflow YAML:

    steps:
      - name: Set up proxy certificate
        run: echo "REQUESTS_CA_BUNDLE=/path/to/your/proxy/certificate.crt" >> $GITHUB_ENV
      - uses: actions/setup-python@v5
        with:
          python-version: '3.10'

    Replace /path/to/your/proxy/certificate.crt with the actual path to your proxy certificate.

By following these steps, you should be able to configure the setup-python action to use the proxy certificate and resolve the SSL certificate verification error.

Additionally, could you please confirm whether you are experiencing this issue with Python version 3.10.15 as well, or is it only occurring with version 3.10.16? Also, could you provide more details about the self-hosted runner you are using? Specifically, are you using a containerized environment?

@chandrakanthbala
Copy link
Author

We are facing this issue for every version. Our self-hosted runners are on physical VMs. But we are running our workflows containerized.

@priyagupta108
Copy link
Contributor

@chandrakanthbala 👋,
Thank you for your response. I could not reproduce your issue. It appears to be related to the configuration of your self-hosted runner or container.
Could you please confirm if you have tried the steps I provided earlier? Additionally, it would be helpful if you could provide more details about your container environment, including:

  • Container image name and tag
  • Base image name and tag specified in the Dockerfile (e.g., FROM ubuntu:22.04)
  • Any specific configurations you are using

Please also refer to this documentation, which might be helpful for troubleshooting.

@priyagupta108
Copy link
Contributor

Hi @chandrakanthbala,
just giving you a gentle ping to see if there are any updates on your end regarding this issue? Thank you!

@chandrakanthbala
Copy link
Author

Hi

Container image name and tag - We are using custom images.
Base image name and tag specified in the Dockerfile (e.g., FROM ubuntu:22.04) - Base image is Ubuntu 22.04
Any specific configurations you are using - We added ur proxy to the image as below.

apt-get install -y ca-certificates
cp local-ca.crt /usr/local/share/ca-certificates
update-ca-certificates

Adding below step the workflow before python setup solved the issue.

  - name: Set up proxy certificate
    run: echo "REQUESTS_CA_BUNDLE=/path/to/your/proxy/certificate.crt" >> $GITHUB_ENV

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants