On 03.06.25 17:22, Henry Hartley via Mailman-users wrote:
I'm having problems installing mailman3 following the instructions on 
https://docs.mailman3.org/en/latest/install/virtualenv.html Everything goes well 
until I get to the Installing Mailman 
Core<https://docs.mailman3.org/en/latest/install/virtualenv.html#installing-mailman-core>
 step, which has me do the following in my venv environment:

(venv)$ pip install wheel mailman psycopg2-binary

Ubuntu 24.04.02 LTS
Python 3.12.3
pip version 24.0

First, I was getting problems because my company firewall was blocking outbound 
traffic. I got that taken care of. Next, I was seeing certificate errors, 
saying there was a self-signed certificate:

WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, 
status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, 
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed 
certificate in certificate chain (_ssl.c:1000)'))': /simple/wheel/
Could not fetch URL https://pypi.org/simple/wheel/: There was a problem 
confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): 
Max retries exceeded with url: /simple/wheel/ (Caused by 
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: self-signed certificate in certificate chain 
(_ssl.c:1000)'))) - skipping

There is no self-signed certificate in the chain, when I check it. I guess, there is a proxy somewhere which has a different certificate.

Run

$ openssl s_client -connect pypi.org:443 -showcerts

to check what certificate is presented. It should be something like:

Connecting to 2a04:4e42::223
CONNECTED(00000003)
depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
verify return:1
depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1
verify return:1
depth=0 CN=pypi.org
verify return:1
---
Certificate chain
 0 s:CN=pypi.org
   i:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Feb 24 04:28:22 2025 GMT; NotAfter: Mar 28 04:28:21 2026 GMT
...
 1 s:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1
   i:OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 16 03:08:04 2024 GMT; NotAfter: Oct 16 00:00:00 2026 GMT
...
Server certificate
subject=CN=pypi.org
issuer=C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1
...

When I added --trusted-host pypi.org that error went away but I'm still unable 
to install anything:

Never ever do that. Find out what is happening. Either something bad is interfering with your network traffic. Or there is a proxy and the chain is different. In the latter case, you will see lots of issue until you have configured your system correctly for the proxy in place...

But never ever simply turn off security and try to install something through broken security. It defies the whole purpose of security and certificates if you simply turn it off or try to ignore it.

-Gerald
_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at: 
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/SKIR2LETMWQ45MH2MVAUZZNQ43JCOGKR/

This message sent to arch...@mail-archive.com

Reply via email to