Unable to install packages behind corporate firewall/vpn

[drorata]

• Poetry version: Poetry (version 1.2.2)
• Python version: 3.10.2
• OS version and name: Windows 10
• pyproject.toml:

[tool.poetry]
name = "pyspark_write_demo"
version = "0.1.0"
description = ""
authors = ["Dror Atariah"]

[tool.poetry.dependencies]
python = "^3.9"
pyspark = "^3.3.0"
pandas = "^1.5.0"
faker = "^15.0.0"

[tool.poetry.dev-dependencies]
black = {version = "^22.8.0", allow-prereleases = true}

[build-system]
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"

• I am on the latest stable Poetry version, installed using a recommended method.
• I have searched the issues of this repo and believe that this is not a duplicate.
• I have consulted the FAQ and blog for any relevant entries or release notes.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Following on this comment #2839 (comment), I'm reporting that I still have an issue with installing packages using poetry:

  SSLCertVerificationError

  [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

  at ~\.pyenv\pyenv-win\versions\3.10.2\lib\ssl.py:1341 in do_handshake
      1337│         timeout = self.gettimeout()
      1338│         try:
      1339│             if timeout == 0.0 and block:
      1340│                 self.settimeout(None)
    → 1341│             self._sslobj.do_handshake()
      1342│         finally:
      1343│             self.settimeout(timeout)
      1344│
      1345│     def _real_connect(self, addr, connect_ex):

The following error occurred when trying to handle this error:


  MaxRetryError

  HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /pypi/six/1.16.0/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\urllib3\util\retry.py:592 in increment
      588│             history=history,
      589│         )
      590│
      591│         if new_retry.is_exhausted():
    → 592│             raise MaxRetryError(_pool, url, error or ResponseError(cause))
      593│
      594│         log.debug("Incremented Retry for (url='%s'): %r", url, new_retry)
      595│
      596│         return new_retry

The following error occurred when trying to handle this error:


  SSLError

  HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /pypi/six/1.16.0/json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

  at ~\AppData\Roaming\pypoetry\venv\lib\site-packages\requests\adapters.py:563 in send
      559│                 raise ProxyError(e, request=request)
      560│
      561│             if isinstance(e.reason, _SSLError):
      562│                 # This branch is for urllib3 v1.22 and later.
    → 563│                 raise SSLError(e, request=request)
      564│
      565│             raise ConnectionError(e, request=request)
      566│
      567│         except ClosedPoolError as e:

[neersighted]

Hi @drorata -- this is either a duplicate of #1012 or #1632 depending on if you are trying to make Poetry handshake against MITM style proxy, or are trying to instead redirect all requests against PyPI to a different index.

My response in the issue you linked was to the original issue, which had an odd situation where configuring an additional source with a custom cert tried to apply that cert to PyPI. That is no longer reproducible, and is not the same as your issue.

In your reproduction, you do not appear to have turned off SSL verification. In #1012 (comment) I tried to walk you through what was happening and what issues you can encounter. For a long-form discussion and debugging of this process, see #6681.

In short, Poetry currently is in a weird spot where you can turn off all it's SSL validation, but it can be difficult to get it to work for pip as well. This will hopefully improve as we further decouple from pip.

If you are able to provide a complete certificate bundle via REQUESTS_CA_BUNDLE, it will work for both Poetry and pip (and Poetry's usage of pip) as per #1012. However, this can be hard on a non-Unix system. This mostly relates to the SSL certificate management system being pretty rough overall in Python due to the use of OpenSSL exclusively, and tight coupling to Unix-style certificate management -- there is a promise of a better future, but that is a ways away.

I'm going to close this for now as a duplicate of either of the two issues I linked. If you would like to see if anyone wants to give you hands-on help getting REQUESTS_CA_BUNDLE or another method of getting pip and Poetry to align on verification working, I'd suggest creating a Discussion or joining Discord. The Discussion I linked is also pretty thorough at solving and explaining this on a Unix system, if you want to give that a once-over.

[bobseboy]

I experienced what @neersighted described above with the custom cert and additional source. I solved this by simply correcting an error in specifying the priority of the source. It worked for me to go with the following in my pyproject.toml file:
priority = 'default'

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.