Thanks to all who responded for your feedback.
Unfortunately, the firewall blocking outbound traffic isn't something I can do anything about. Servers in our "web zone" must have specific rules allowing outbound access. That's fine for Red Hat or Ubuntu repositories but this is the first machine where we are trying to install using pip, so getting the right rule in place took some experimentation and adjustment.
I did eventually get the install to work with the firewall opened for me and with a --proxy option added to the command (although I'm not 100% sure --proxy was needed).
The other thing I had to do that was different to the instructions was to use pip to install setuptools. I got to a point where I had an error message that said "ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0" but when I ran "apt install python3-setuptools" it reported that it was "already the newest version (68.1.2-2ubuntu1.2)". However, running pip install setuptools (on a whim) installed version 80.9.0. After that "pip install mailman" worked. Perhaps I should have known this. I feel that making sure setuptools is properly installed might be something to add to the installation instructions.
The next step in the instructions has me create /etc/mailman3/mailman.cfg. The first thing in that file is shown as:
[paths.here] var_dir: /opt/mailman/mm/var
Looking in /opt/mailman, there is no mm directory. Should that have been created, or is that something I need to create myself?
-- Henry Hartley Westat RB 2151
-----Original Message----- From: Gerald Vogt <vogt@spamcop.net> Sent: Tuesday, June 3, 2025 12:29 To: mailman-users@mailman3.org Subject: [MM3-users] Re: Trouble Installing Mailman3
CAUTION: External Email *
On 03.06.25 17:22, Henry Hartley via Mailman-users wrote:
I'm having problems installing mailman3 following the instructions on https://secure-web.cisco.com/1lGZ6VhIpDXnBDYduOpQfdrz5vzmVmUu1Ox4qpxrEdA3f2K... Everything goes well until I get to the Installing Mailman Core<https://secure-web.cisco.com/1XnIv9oM-wXrdCe9VFieDJykhtB-NNf5h-UB4ysN7pvWtAs...> step, which has me do the following in my venv environment:
(venv)$ pip install wheel mailman psycopg2-binary
Ubuntu 24.04.02 LTS Python 3.12.3 pip version 24.0
First, I was getting problems because my company firewall was blocking outbound traffic. I got that taken care of. Next, I was seeing certificate errors, saying there was a self-signed certificate:
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))': /simple/wheel/ Could not fetch URL https://secure-web.cisco.com/149I_kjrnLhuIpr1APuB8udvv8jCJuk0lqcI_esQ- dqwmKVpgaw1Y6LT5_dF8kBkxoIp3E5cH7c8E3NU5TFqaenv2yCcBV0jBYVDBuHgpqP9oRU OfJ6XZruLMDf2pqH2ydyrnAxjJ_ZTs59eeLe69Iy0jFuoA5d_XpSiBVdVvGKbBN13EkyH2 HNcgmruVikAcwrT6sN52QPqQIesisnHaK6MvxqVRbMuHjoY3vpvMzLsJaSrN6_XOSx3oGf DZgAOV/https%3A%2F%2Fpypi.org%2Fsimple%2Fwheel%2F%3A There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/wheel/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))) - skipping
There is no self-signed certificate in the chain, when I check it. I guess, there is a proxy somewhere which has a different certificate.
Run
$ openssl s_client -connect pypi.org:443 -showcerts
to check what certificate is presented. It should be something like:
Connecting to 2a04:4e42::223 CONNECTED(00000003) depth=2 OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign verify return:1 depth=1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 verify return:1 depth=0 CN=pypi.org verify return:1
Certificate chain 0 s:CN=pypi.org i:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 24 04:28:22 2025 GMT; NotAfter: Mar 28 04:28:21 2026 GMT ... 1 s:C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 i:OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Oct 16 03:08:04 2024 GMT; NotAfter: Oct 16 00:00:00 2026 GMT ... Server certificate subject=CN=pypi.org issuer=C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2025 Q1 ...
When I added --trusted-host pypi.org that error went away but I'm still unable to install anything:
Never ever do that. Find out what is happening. Either something bad is interfering with your network traffic. Or there is a proxy and the chain is different. In the latter case, you will see lots of issue until you have configured your system correctly for the proxy in place...
But never ever simply turn off security and try to install something through broken security. It defies the whole purpose of security and certificates if you simply turn it off or try to ignore it.
-Gerald
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://secure-web.cisco.com/18iP3uSUcjHSqrMHO0qp7xLDZfU6UEQCIjFnQjNhiuLqlvn... Archived at: https://secure-web.cisco.com/14EbakuFKJzXm1e5mfHMqLgTjYS9LSvDFEBHhhf-pvIniT6...
This message sent to henryhartley@westat.com
- Please use caution when responding and/or clicking on links as this email originated from outside of Westat.