SSL certificate failure with eups distrib

[jmeyers314]

When attempting to use eups distrib from LLNL, I get

eups distrib: Failed to contact URL https://eups.lsst.codes/stack/osx/10.9/conda-system/miniconda3-py38_4.9.2-0.4.1/config.txt ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1124))

This only seems to happen from LLNL. Firewall related maybe?

At some time in the past few years though, I determined that inserting

# begin hack                                                                                                                                     
import requests
requests.packages.urllib3.disable_warnings()
import ssl
try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    # Legacy Python that doesn't verify HTTPS certificates by default                                                                            
    pass
else:
    # Handle target environment that doesn't support HTTPS verification                                                                          
    ssl._create_default_https_context = _create_unverified_https_context
# end hack                                                                                                                                       

near the beginning of bin/eups solves my problem (I'm sure I found this on stackoverflow at some point). So my current workflow is every time I reinstall eups, I go back and remind myself to hack up this file.

Can something like this be made a command line option perhaps? Or does someone need to yell at me for inserting super dodgy code into my eups? Or any other ideas?

[ktlim]

This seems likely to be due to a security-scan HTTPS proxy, e.g. https://support.sophos.com/support/s/article/KB-000038420. The error is SSL doing its job at preventing man-in-the-middle attacks. Typically you would need to add the proxy's certificate authority (obtained from your IT/security department) to your system's database.

Turning off HTTPS certificate verification completely has a substantial risk of software corruption; eups has no other means of verifying that the packages downloaded are the same as what is intended to be distributed.

Nevertheless, an option could be added to do this with appropriate (BIG SCARY) caveats to the user.

[jmeyers314]

Thanks @ktlim. I noticed that I can see the above URL with a regular web browser, and also examine its certificates. Any idea if I can leverage this into getting it to work for eups?

[ktlim]

Some combination of things in here might help. I'm not certain, however, that conda-eups (if you're using that) will use the conda-client's certificate chain. https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows