pipenv certificate complaints when generating lock file

[K33k0]

problem

The actual download and installation of packages is working and I can import them. However I get certificate errors whenever it attempts to generate a lock file. Using basic pip works fine.

Question

• Is there anywhere I can define the proxy for pipenv?
• Is there anywhere I can define the certificate path for pipenv?

Important

Pip works find using the system configured proxy settings. However pipenv is complaining about certificates. I do have access to these certificates but no where to place them

system

Python version: 3.6.2 (32bit)
Windows Version: 7 enterprise 32bit
Behind corperate proxy: True

pip file

[[source]]
url = "https://pypi.python.org/simple"
verify_ssl = true
[packages]

wheel = "*"
setuptools = "*"
requests = "*"

I have tried setting verify_ssl to false & changing the url to plain http

Output

λ pipenv install requests
Installing requests…
Requirement already satisfied: requests in c:\venv\kivy-test-vayfu8jh\lib\site-packages
Requirement already satisfied: certifi>=2017.4.17 in c:\venv\kivy-test-vayfu8jh\lib\site-packages (from requests)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in c:\venv\kivy-test-vayfu8jh\lib\site-packages (from requests)
Requirement already satisfied: urllib3<1.23,>=1.21.1 in c:\venv\kivy-test-vayfu8jh\lib\site-packages (from requests)
Requirement already satisfied: idna<2.7,>=2.5 in c:\venv\kivy-test-vayfu8jh\lib\site-packages (from requests)

Adding requests to Pipfile's [packages]…
P.S. You have excellent taste!
Locking [dev-packages] dependencies…
Locking [packages] dependencies…
Traceback (most recent call last):
  File "c:\python36\lib\site-packages\urllib3\connectionpool.py", line 595, in urlopen
    self._prepare_proxy(conn)
  File "c:\python36\lib\site-packages\urllib3\connectionpool.py", line 816, in _prepare_proxy
    conn.connect()
  File "c:\python36\lib\site-packages\urllib3\connection.py", line 326, in connect
    ssl_context=context)
  File "c:\python36\lib\site-packages\urllib3\util\ssl_.py", line 329, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "c:\python36\lib\ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "c:\python36\lib\ssl.py", line 808, in __init__
    self.do_handshake()
  File "c:\python36\lib\ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "c:\python36\lib\ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "c:\python36\lib\site-packages\requests\adapters.py", line 440, in send
    timeout=timeout
  File "c:\python36\lib\site-packages\urllib3\connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "c:\python36\lib\site-packages\urllib3\util\retry.py", line 388, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/requests/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python36\Scripts\pipenv-script.py", line 11, in <module>
    load_entry_point('pipenv==7.2.6', 'console_scripts', 'pipenv')()
  File "c:\python36\lib\site-packages\pipenv\vendor\click\core.py", line 722, in __call__
    return self.main(*args, **kwargs)
  File "c:\python36\lib\site-packages\pipenv\vendor\click\core.py", line 697, in main
    rv = self.invoke(ctx)
  File "c:\python36\lib\site-packages\pipenv\vendor\click\core.py", line 1066, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "c:\python36\lib\site-packages\pipenv\vendor\click\core.py", line 895, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "c:\python36\lib\site-packages\pipenv\vendor\click\core.py", line 535, in invoke
    return callback(*args, **kwargs)
  File "c:\python36\lib\site-packages\pipenv\cli.py", line 1434, in install
    do_lock(system=system)
  File "c:\python36\lib\site-packages\pipenv\cli.py", line 897, in do_lock
    python=python_version(which('python', allow_global=system))
  File "c:\python36\lib\site-packages\pipenv\utils.py", line 112, in resolve_deps
    resolved_tree = resolver.resolve()
  File "c:\python36\lib\site-packages\piptools\resolver.py", line 107, in resolve
    has_changed, best_matches = self._resolve_one_round()
  File "c:\python36\lib\site-packages\piptools\resolver.py", line 187, in _resolve_one_round
    best_matches = set(self.get_best_match(ireq) for ireq in constraints)
  File "c:\python36\lib\site-packages\piptools\resolver.py", line 187, in <genexpr>
    best_matches = set(self.get_best_match(ireq) for ireq in constraints)
  File "c:\python36\lib\site-packages\piptools\resolver.py", line 245, in get_best_match
    best_match = self.repository.find_best_match(ireq, prereleases=self.prereleases)
  File "c:\python36\lib\site-packages\piptools\repositories\pypi.py", line 108, in find_best_match
    all_candidates = self.find_all_candidates(ireq.name)
  File "c:\python36\lib\site-packages\piptools\repositories\pypi.py", line 94, in find_all_candidates
    candidates = self.finder.find_all_candidates(req_name)
  File "c:\python36\lib\site-packages\pipenv\patched\pip\index.py", line 423, in find_all_candidates
    for page in self._get_pages(url_locations, project_name):
  File "c:\python36\lib\site-packages\pipenv\patched\pip\index.py", line 568, in _get_pages
    page = self._get_page(location)
  File "c:\python36\lib\site-packages\pipenv\patched\pip\index.py", line 683, in _get_page
    return HTMLPage.get_page(link, session=self.session)
  File "c:\python36\lib\site-packages\pipenv\patched\pip\index.py", line 792, in get_page
    "Cache-Control": "max-age=600",
  File "c:\python36\lib\site-packages\requests\sessions.py", line 521, in get
    return self.request('GET', url, **kwargs)
  File "c:\python36\lib\site-packages\requests\sessions.py", line 508, in request
    resp = self.send(prep, **send_kwargs)
  File "c:\python36\lib\site-packages\requests\sessions.py", line 618, in send
    r = adapter.send(request, **kwargs)
  File "c:\python36\lib\site-packages\requests\adapters.py", line 506, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/requests/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),))

[kennethreitz]

Same way you would with Pip.

[kennethreitz]

Which is the same way you would with Requests.

[kennethreitz]

Lookup the docs there :)

[K33k0]

I was just coming to say I sorted it, I appended my works certificate to the one within Certifi which requests use. I'll take another look at Requests docs. Thanks 😄

[edwardreed81]

I can't get pipenv lock to work with my work's certificates. If I just test requests, it seems to work:

>>> import requests
>>> requests.get('https://pypi.org')
<Response [200]>

I don't know if this will be seen, but what am I missing? Shouldn't pipenv work if requests does?

[techalchemy]

@edwardreed81 update pipenv

[edwardreed81]

@techalchemy I'm on version 11.10.1. That's the most recent, right?

[techalchemy]

@edwardreed81 please see http://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html if you’re on Mac or open a new issue

[uranusjr]

Reminds me of https://twitter.com/callmewuest/status/987917349322940416

[edwardreed81]

@techalchemy Opened a new issue at #2110

[JanBenes]

Had the same issue (OS X 10.13, Python 3.4.4, updated pip to 10.0.1), could install, but locking would fail.

Calling

>>> import requests 
>>> requests.get('https://pypi.org')

gave an error, calling

>>> import requests
>>> print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])

reported TLS 1.0.

installing requests[security] solved this (locking works, first snippet says 200, second says TLS 1.2). Not behind a proxy.

[pplmx]

The same problem in Win 10(python 3.6.4)