Python 3.5 setup fails with an invalid certificate when running pip

[andy-maier]

Description:

Python 3.5 setup fails with an invalid certificate when running pip.

This started happening a few days ago. 7 days ago it still worked.

From a today's run where it failed: https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/9076784995/job/24940262974

Run actions/setup-python@v5
  with:
    python-version: 3.5
    check-latest: false
    token: ***
    update-environment: true
    allow-prereleases: false
  env:
    PIP_DISABLE_PIP_VERSION_CHECK: 1
    PIP_NO_PYTHON_VERSION_WARNING: 1
Installed versions
  Version 3.5 was not found in the local cache
  Version 3.5 is available for downloading
  Download from "https://github.com/actions/python-versions/releases/download/3.5.10-90026/python-3.5.10-linux-20.04-x64.tar.gz"
  Extract downloaded archive
  /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/bbd73505-bdd7-43f6-9be8-ea09e3ed6949 -f /home/runner/work/_temp/20ce11ed-ebf4-4b07-b07d-6c43d465aa62
  Execute installation script
  Check if Python hostedtoolcache folder exist...
  Create Python 3.5.10 folder
  Copy Python binaries to hostedtoolcache folder
  Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
  Upgrading PIP...
  Requirement already satisfied: setuptools in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Collecting pip
  Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:728) - skipping
  Error: Could not find a version that satisfies the requirement pip (from versions: )
  Error: No matching distribution found for pip
  Error: The process '/usr/bin/bash' failed with exit code 1

Action version:

v5

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

Python 3.5

Repro steps:

To reproduce, use the setup-python action with Python 3.5.

Expected behavior:

Python 3.5 should be installed as it was 1 week ago.

Actual behavior:

See description, above.

[joamag]

I'm also able to reproduce this behavior in a self-hosted environment.

[joamag]

@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST env variable) to bump pip and avoid this error

  - uses: actions/setup-python@v5
    with:
      python-version: 3.5
    env:
      PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"

Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi

[aparnajyothi-y]

Hello @andy-maier, Thank you for creating this issue and we will look into it :)

[dirkf]

The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:

--trusted-host <hostname>

    Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.

    (environment variable: PIP_TRUSTED_HOST)

Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.

[andy-maier]

@joamag
Hello João. Thank you very much for this workaround!!
I can confirm that it works for us.

[dirkf]

Since the point of the action is to install various versions of Python, end-of-life or not, you need to apply this workaround for the affected versions within the action itself.

[ShadowJonathan]

I agree, but adding these environment variables effectively ignores any SSL error, including MITM certificate mismatches.

I feel like a INSECURE_EOL_VERSION_OK: 1 (or similar) would be a better environment variable, explicitly acknowledging that EOL versions with security incompatibilities will be vulnerable to attacks, and that developers are okay with that (or have other security mitigations)

[priya-kinthali]

Thank you for your suggestions. Unfortunately, it's not feasible for us to incorporate the proposed changes directly into the setup-python action. For users operating with EOL Python versions, we kindly recommend implementing the proposed workaround within your respective workflows. For optimal security, please consider upgrading to a supported Python version.
@andy-maier👋, as the issue appears to have been resolved with the suggested workaround, we are proceeding with closing the issue and appreciate your understanding and cooperation:)
Please feel free to reach us out incase of any other concerns.