On 03.06.25 17:22, Henry Hartley via Mailman-users wrote:
I'm having problems installing mailman3 following the instructions on https://docs.mailman3.org/en/latest/install/virtualenv.html Everything goes well until I get to the Installing Mailman Core<https://docs.mailman3.org/en/latest/install/virtualenv.html#installing-mailm...> step, which has me do the following in my venv environment:
(venv)$ pip install wheel mailman psycopg2-binary
Ubuntu 24.04.02 LTS Python 3.12.3 pip version 24.0
First, I was getting problems because my company firewall was blocking outbound traffic. I got that taken care of. Next, I was seeing certificate errors, saying there was a self-signed certificate:
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))': /simple/wheel/ Could not fetch URL https://pypi.org/simple/wheel/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/wheel/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))) - skipping
There is no self-signed certificate in the chain, when I check it. I guess, there is a proxy somewhere which has a different certificate.
Run
$ openssl s_client -connect pypi.org:443 -showcerts
to check what certificate is presented. It should be something like:
Connecting to 2a04:4e42::223 CONNECTED(00000003) depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign verify return:1 depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 verify return:1 depth=0 CN=pypi.org verify return:1
Certificate chain 0 s:CN=pypi.org i:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 24 04:28:22 2025 GMT; NotAfter: Mar 28 04:28:21 2026 GMT ... 1 s:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 i:OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 16 03:08:04 2024 GMT; NotAfter: Oct 16 00:00:00 2026 GMT ... Server certificate subject=CN=pypi.org issuer=C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 ...
When I added --trusted-host pypi.org that error went away but I'm still unable to install anything:
Never ever do that. Find out what is happening. Either something bad is interfering with your network traffic. Or there is a proxy and the chain is different. In the latter case, you will see lots of issue until you have configured your system correctly for the proxy in place...
But never ever simply turn off security and try to install something through broken security. It defies the whole purpose of security and certificates if you simply turn it off or try to ignore it.
-Gerald