Bug 2015326

Summary: Ships a seed pip with vendored ca that can't talk to LE sites
Product: Red Hat Enterprise Linux 7 Reporter: Ian Wienand <iwienand>
Component: python-virtualenvAssignee: Charalampos Stratakis <cstratak>
Status: CLOSED ERRATA QA Contact: Lukáš Zachar <lzachar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: cheimes, cstratak, hhorak, jreznik, pviktori, torsava
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-virtualenv-15.1.0-5.el7_9 Doc Type: No Doc Update
Doc Text:
If this bug requires documentation, please select an appropriate Doc Type value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-11 17:36:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Wienand 2021-10-18 23:15:02 UTC 
python-virtualenv 0:15.1.0-4.el7_7 ships a seed pip that vendors requests with a cacert.pem that can not connect to LetsEncrypt sites after the DST Root CA X3 signature expiration (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)

Perhaps not many have noticed because pypi will still work -- but any attempts to connect to sites with certs issued by LetsEncrypt will fail.  For example, below I show an example of getting requirements from opendev.

# yum info python-virtualenv
Name        : python-virtualenv
Arch        : noarch
Version     : 15.1.0
Release     : 4.el7_7

# repoquery --list '*python-virtualenv*'
...
/usr/lib/python2.7/site-packages/virtualenv_support/pip-9.0.1-py2.py3-none-any.whl
...

# virtualenv /tmp/venv
....

# /tmp/venv/bin/pip install --constraint https://opendev.org/openstack/requirements/raw/stable/stein/upper-constraints.txt --upgrade pip setuptools wheel
Exception:
Traceback (most recent call last):
  File "/tmp/venv/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/tmp/venv/lib/python2.7/site-packages/pip/commands/install.py", line 312, in run
    wheel_cache
  File "/tmp/venv/lib/python2.7/site-packages/pip/basecommand.py", line 269, in populate_requirement_set
    session=session, wheel_cache=wheel_cache):
  File "/tmp/venv/lib/python2.7/site-packages/pip/req/req_file.py", line 84, in parse_requirements
    filename, comes_from=comes_from, session=session
  File "/tmp/venv/lib/python2.7/site-packages/pip/download.py", line 417, in get_file_content
    resp = session.get(url)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 510, in get
    return self.request('GET', url, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/download.py", line 386, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 497, in request
    resp = self.send(prep, **send_kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 639, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 203, in resolve_redirects
    **adapter_kwargs
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/cachecontrol/adapter.py", line 47, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
You are using pip version 9.0.1, however version 21.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

# ls -l /tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/cacert.pem
-rw-r--r--. 1 root root 344712 Oct 18 23:05 /tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/cacert.pem
Comment 3 Ian Wienand 2021-10-19 00:16:53 UTC 
Additionally, if you do upgrade to the latest pip for python2 (20.3.4) it has switched to certifi which does include this cert -- however now OpenSSL 1.0.2 as on centos doesn't ignore the expired certificate  per https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ -- so it still doesn't work.

This is fairly annoying because even if this package fixes it's vendored cacert.pem file to add the ISRG Root X1 certificate; upgrading pip in a virtualenv will drag back in a version that doesn't work again.

I think to solve this virtualenv would have to vendor a pip 20.3.4 with a fixed cacert.pem for centos7's openssl 1.0.2.  Since pip won't release any new versions for python2, that should keep things working (as long as you don't re-install *over* the seed pip in the virtualenv, I guess?)
Comment 10 Christian Heimes 2021-11-04 14:01:48 UTC 
Do you have PyOpenSSL installed on the client? Python's ssl module sets a flag that works around expired root and intermediate certs. PyOpenSSL does not set the flag. If you PyOpenSSL installed, than older requests use PyOpenSSL.
Comment 22 errata-xmlrpc 2022-01-11 17:36:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-virtualenv bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0068