pip upgrade ignores locally installed Certificate Authorities

[artyom-beilis]

Description

pip install --upgrade pip ignores locally installes SSL CA

Expected behavior

After upgrade locally installed certificate authorities should be respected

pip version

21.2.4

Python version

3.6

OS

Linux

How to Reproduce

Run behind SSL inspection proxy with cetificate installed

Create venv

python3 -m venv /tmp/test5
source /tmp/test5/bin/activate
pip install numpy

Ugrade pip

pip install --upgrade pip
pip install six

Output

Working outout


    Collecting pip
      Using cached     https://files.pythonhosted.org/packages/ca/31/b88ef447d595963c01060998cb329251648acf4a067721b0452c45527eb8/pip-21.2.4-py3-none-any.whl


Failed Output:

    WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/six

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[artyom-beilis]

Note: the CA file:

{VENVROOT}/lib/python3.6/site-packages/pip/_vendor/certifi/cacert.pem

Must be taken from the system rather than from pip package

[uranusjr]

Pip already provide mechanisms to specify a certificate file anywhere on the system:

https://pip.pypa.io/en/stable/cli/pip/#cmdoption-cert

This can be set with a command argument, or via either a configuration file or environment variable. Are those methods not viable, and why not?

[artyom-beilis]

I'm aware of this. But the problem is that by default system certificate isn't taken which is unexpected behaviour. In many locations systems run behind SSL Inspectors that require having local CA installed.

This is normal environment and it is expected not to break environment upon upgrade - since it is something system-wide

[uranusjr]

But the problem is that by default system certificate isn't taken which is unexpected behaviour. In many locations systems run behind SSL Inspectors that require having local CA installed.

Could you elaborate on this? From my understanding, most third-party web browsers, including Firefox and Google Chrome, for example, use their own CA store by default, not the system store. You may argue pip should have a "use system store" switch (Firefox does IIUC), but doing it by default is by no means a global consensus.

[artyom-beilis]

But the problem is that by default system certificate isn't taken which is unexpected behaviour. In many locations systems run behind SSL Inspectors that require having local CA installed.

Could you elaborate on this? From my understanding, most third-party web browsers, including Firefox and Google Chrome, for example, use their own CA store by default, not the system store. You may argue pip should have a "use system store" switch (Firefox does IIUC), but doing it by default is by no means a global consensus.

Not exactly. Firefox is indeed using its own CA store for two reasons (a) they want users explicitly install CA to make sure they understand effects on user - i.e. potential man-in-the-middle. (b) they don't have way to distinguish between original and admin installed CA.

AFAIR chrome does use system-wide CA (unless something changed recently) and other browsers and tools (wget/curl and so)
.

[pfmoore]

TBH, this is a wider question than just pip. Your argument applies equally to requests (which is what pip uses to do its HTTP requests) and even further back to core Python. I know there have been discussions about this on the core Python lists, I don't know what requests' position is. But I think you should raise this with them (and pip's position should be "we follow what our HTTP library, currently requests, does").

[artyom-beilis]

If so the bigger question is why certify, pip and installs its own CA authority list and you need to handle it everywhere.

Consider following scenario.

I have running system with multiple packages, pip, requests, etc, etc. Now we move it behind SSL Inspection system. Everything is broken and you need to update each and every package manually. BTW pip uses separate CA DB.

So basically everything is broken instead of using CA installed by system administrator of the organisation.

I mean it has to be at least centralised and not put in each and every possible tool to do whatever it likes: how pip is different from curl, or wget or 101 other tools?

[pradyunsg]

The way to make pip use the system certificate store, is to explicitly point pip at it.

I’ll add that basically every single corporation that I know of (including multi billion dollar ones) that do use SSL inspection, also tell their users to configure pip to explicitly use the certificate store that they provide. I recommend you do the same.

If you don’t want to do that, and instead would like to argue that the default behaviour should be to use the system store, please take that up with the Python standard library and requests, which is effectively where we inherit this from. I’m going to go ahead and close this, because this isn’t something that pip is going to change on its own. You’re going to have to take this up with the wider Python ecosystem, and I wish you best of luck for doing that.