Bug 2015326
Summary: | Ships a seed pip with vendored ca that can't talk to LE sites | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Ian Wienand <iwienand> |
Component: | python-virtualenv | Assignee: | Charalampos Stratakis <cstratak> |
Status: | CLOSED ERRATA | QA Contact: | Lukáš Zachar <lzachar> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.9 | CC: | cheimes, cstratak, hhorak, jreznik, pviktori, torsava |
Target Milestone: | rc | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python-virtualenv-15.1.0-5.el7_9 | Doc Type: | No Doc Update |
Doc Text: |
If this bug requires documentation, please select an appropriate Doc Type value.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-01-11 17:36:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ian Wienand
2021-10-18 23:15:02 UTC
Additionally, if you do upgrade to the latest pip for python2 (20.3.4) it has switched to certifi which does include this cert -- however now OpenSSL 1.0.2 as on centos doesn't ignore the expired certificate per https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ -- so it still doesn't work. This is fairly annoying because even if this package fixes it's vendored cacert.pem file to add the ISRG Root X1 certificate; upgrading pip in a virtualenv will drag back in a version that doesn't work again. I think to solve this virtualenv would have to vendor a pip 20.3.4 with a fixed cacert.pem for centos7's openssl 1.0.2. Since pip won't release any new versions for python2, that should keep things working (as long as you don't re-install *over* the seed pip in the virtualenv, I guess?) Do you have PyOpenSSL installed on the client? Python's ssl module sets a flag that works around expired root and intermediate certs. PyOpenSSL does not set the flag. If you PyOpenSSL installed, than older requests use PyOpenSSL. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (python-virtualenv bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:0068 |