2015326 – Ships a seed pip with vendored ca that can't talk to LE sites

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2015326 - Ships a seed pip with vendored ca that can't talk to LE sites

Summary: Ships a seed pip with vendored ca that can't talk to LE sites

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	python-virtualenv
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Charalampos Stratakis
QA Contact:	Lukáš Zachar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-18 23:15 UTC by Ian Wienand
Modified:	2022-01-11 17:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	python-virtualenv-15.1.0-5.el7_9
Doc Type:	No Doc Update
Doc Text:	If this bug requires documentation, please select an appropriate Doc Type value.
Clone Of:
Environment:
Last Closed:	2022-01-11 17:36:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-100178	0	None	None	None	2021-10-18 23:17:15 UTC
Red Hat Product Errata	RHBA-2022:0068	0	None	None	None	2022-01-11 17:36:06 UTC

Description Ian Wienand 2021-10-18 23:15:02 UTC

python-virtualenv 0:15.1.0-4.el7_7 ships a seed pip that vendors requests with a cacert.pem that can not connect to LetsEncrypt sites after the DST Root CA X3 signature expiration (https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/)

Perhaps not many have noticed because pypi will still work -- but any attempts to connect to sites with certs issued by LetsEncrypt will fail.  For example, below I show an example of getting requirements from opendev.

# yum info python-virtualenv
Name        : python-virtualenv
Arch        : noarch
Version     : 15.1.0
Release     : 4.el7_7

# repoquery --list '*python-virtualenv*'
...
/usr/lib/python2.7/site-packages/virtualenv_support/pip-9.0.1-py2.py3-none-any.whl
...

# virtualenv /tmp/venv
....

# /tmp/venv/bin/pip install --constraint https://opendev.org/openstack/requirements/raw/stable/stein/upper-constraints.txt --upgrade pip setuptools wheel
Exception:
Traceback (most recent call last):
  File "/tmp/venv/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/tmp/venv/lib/python2.7/site-packages/pip/commands/install.py", line 312, in run
    wheel_cache
  File "/tmp/venv/lib/python2.7/site-packages/pip/basecommand.py", line 269, in populate_requirement_set
    session=session, wheel_cache=wheel_cache):
  File "/tmp/venv/lib/python2.7/site-packages/pip/req/req_file.py", line 84, in parse_requirements
    filename, comes_from=comes_from, session=session
  File "/tmp/venv/lib/python2.7/site-packages/pip/download.py", line 417, in get_file_content
    resp = session.get(url)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 510, in get
    return self.request('GET', url, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/download.py", line 386, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 497, in request
    resp = self.send(prep, **send_kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 639, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 203, in resolve_redirects
    **adapter_kwargs
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/cachecontrol/adapter.py", line 47, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "/tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
You are using pip version 9.0.1, however version 21.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

# ls -l /tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/cacert.pem
-rw-r--r--. 1 root root 344712 Oct 18 23:05 /tmp/venv/lib/python2.7/site-packages/pip/_vendor/requests/cacert.pem

Comment 3 Ian Wienand 2021-10-19 00:16:53 UTC

Additionally, if you do upgrade to the latest pip for python2 (20.3.4) it has switched to certifi which does include this cert -- however now OpenSSL 1.0.2 as on centos doesn't ignore the expired certificate  per https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ -- so it still doesn't work.

This is fairly annoying because even if this package fixes it's vendored cacert.pem file to add the ISRG Root X1 certificate; upgrading pip in a virtualenv will drag back in a version that doesn't work again.

I think to solve this virtualenv would have to vendor a pip 20.3.4 with a fixed cacert.pem for centos7's openssl 1.0.2.  Since pip won't release any new versions for python2, that should keep things working (as long as you don't re-install *over* the seed pip in the virtualenv, I guess?)

Comment 10 Christian Heimes 2021-11-04 14:01:48 UTC

Do you have PyOpenSSL installed on the client? Python's ssl module sets a flag that works around expired root and intermediate certs. PyOpenSSL does not set the flag. If you PyOpenSSL installed, than older requests use PyOpenSSL.

Comment 22 errata-xmlrpc 2022-01-11 17:36:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-virtualenv bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0068

Note You need to log in before you can comment on or make changes to this bug.