Python – easy_install and pip fail with SSL warnings

I'm looking after some RHEL6 servers and trying to set them up to use an internal PyPi server (proxied by Nexus 3).

The problem is that our internal PyPi server is one of several SSL VHosts on the same Nginx server, and Python 2.6 is not SNI compatible; thus, easy_install fails because it's trying to download from the wrong Vhost URL and pip fails with SNIMissingWarning and InsecurePlatformWarning.

I looked at the advice on https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings but it seems this is a workaround for your own scripts; it doesn't address problems in Python itself. I installed urllib3 and the associated packages anyway, and the problem remains.

[root@foo.internal ~]# pip install --index https://nexus3.internal/repository/pypi-proxy/simple twine
DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting twine
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Could not fetch URL https://nexus3.internal/repository/pypi-proxy/simple/twine/: There was a problem confirming the ssl certificate: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - skipping
  Could not find a version that satisfies the requirement twine (from versions: )
No matching distribution found for twine

Best Answer

Simply have a look to the link provided in the error message ;)

https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning

SNIMissingWarning

This happens on Python 2 versions older than 2.7.9. These older versions lack SNI support. This can cause servers to present a certificate that the client thinks is invalid. Follow the pyOpenSSL guide to resolve this warning.

The pyOpenSSL links returns :

Certificate verification in Python 2

Older versions of Python 2 are built with an ssl module that lacks SNI support and can lag behind security updates. For these reasons it’s recommended to use pyOpenSSL.

If you install urllib3 with the secure extra, all required packages for certificate verification on Python 2 will be installed:
pip install urllib3[secure]
If you want to install the packages manually, you will need pyOpenSSL, cryptography, idna, and certifi

Best Answer

SNIMissingWarning

Certificate verification in Python 2

Related Solutions

Python – How to list the files associated with a Python package installed using pip or easy_install

Linux – How to run easy_install and pip without root, without virtualenv

Related Topic