使用自签名证书将pip安装到私有pypi服务器时如何忽略抛出的安全警告

Question

I have what I believe is a niche scenario. I have a pypi server running on a Linux server. Retrieving packages from it using:

pip install --extra-index-url http://<IP>:8080 MyPackage

Works as one would expect with the package being downloaded from the private repo.

However since introducing a self signed certificate into the equation (I do not have a domain for this IP) using the following command:

pip install --cert apache-selfsigned.crt --extra-index-url https://UN:PW@<IP>:443 MyPackage

I get the following errors (though it does still work as you can see at the bottom):

Collecting MyPackage
  Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
  Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
  Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
  Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
  Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)'),)': /simple/MyPackage/
/usr/share/python-wheels/urllib3-1.22-py2.py3-none-any.whl/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
Installing collected packages: MyPackage
Successfully installed MyPackage-0.2.0

I use Apache2 to act as a reverse proxy to forward port 443 onto the pypi port.

The certificate is 'valid' but obviously not registered with a CA. It works fine for encryption and for connecting via a web browser (once I accept the 'risks'). So I know the cert/key are working correctly.

It seems highly inefficient for pip to try 5 times and fail before deciding to go ahead with the unverified certificate, is there something amiss in the cert? Or is it just that pip's dependencies don't like self signed certs, and will always fail 5 times before admitting its ok.

Answer 1

When using --extra-index-url , pip will still use PyPI along your extra index when searching for a package. Unfortunately, there is no way to specify an "extra-index cert" so when you pass --cert , pip will use the cert against all index hosts including pypi.org . This is why you get the certificate verify failed errors. To circumvent this, you can:

• Install the certificate system wide, so you don't have to pass --cert at all. The exact steps are OS-dependent, also you'll need additional steps for virtual envs.
• Use --index-url=<IP> --cert=my.crt - beware that in that case pip will not query PyPI at all, so you will be able to install only packages that are offered by your own index. Decent index servers like devpi can act as a proxy to PyPI though, so not so much of an issue.
• Trust the PyPI hosts: --extra-index-url=<IP> --cert=my.cert --trusted-host=pypi.org --trusted-host=files.pythonhosted.org - this will skip the PyPI hosts verification, thus unsafe and should only be a temporary workaround.