SSLError while uploading to Nexus repository

[vidyadharms]

Hi,

We have setup in-house Nexus repository for custom python packages and using below command, we were able to upload the package to it before SSL implementation on Nexus Server.

twine upload --repository-url http://nexus.mycompany.com:8081/repository/poc-project_python-packaging/ dist/*

After enabling SSL on the Nexus server, the package upload failed with SSLError, hence tried using below command with .pem file given by our Admin team.

twine upload --repository-url https://nexus.mycompany.com:8444/repository/poc-project_python-packaging/ dist/ --cert /usr/local/vsatyp/certificate.pem*

However package upload fails and gives error as below:

_Uploading distributions to https://nexus.mycompany.com:8444/repository/poc-project_python-packaging/
Uploading modelOperationalization-1.0-py2.py3-none-any.whl
0%| | 0.00/7.69k [00:00<?, ?B/s]
SSLError: HTTPSConnectionPool(host='nexus.mycompany.com', port=8444): Max retries exceeded with url: /repository/poc-project_python-packaging/ (Caused by SSLError(SSLError(0, 'unknown error (ssl.c:3566)'),))

I tried searching lot but not able to get the detailed error. Can anyone please look into it urgently and suggest a solution?

Is it possible to disable the certificate verification in Twine?

Thanks in advance.

[di]

@vidyadharms It seems like your server's TLS configuration is at fault. What do you get when you just try to connect to it with something like openssl s_client -connect nexus.mycompany.com:8444?

[sigmavirus24]

It is not possible to disable certificate verification in Twine. The point of twine is to be a tool that properly handles certificate verification. Allowing folks to turn it off seems antithetical to the point.

[brainwane]

@vidyadharms Here's my suggestion:

1. For the moment, right now, while you're waiting for your security team to give you a certificate that works :) , use an approach other than Twine to upload your packages to Nexus. I believe python setup.py upload with setuptools might work for you.
2. Get a certificate and a server TLS configuration that work, using @di's question as a starting point, and feel free to tell your security colleagues and Nexus administrator and vendor that a mean open source maintainer (me) is the one making you do this, because we won't let you turn off certificate verification in Twine. :)

[brainwane]

@vidyadharms I'm going to close this issue because I'm fairly confident that the problem here lies with your internal setup. I may be wrong; you can reopen it and @-mention me.

Twine is a volunteer-run project; if you are in a company that uses Twine, I suggest you consider making a corporate donation to the Packaging Working Group of the Python Software Foundation, which will help support maintenance and improvements for Python packaging tools.

[vidyadharms]

@di What do you get when you just try to connect to it with something like openssl s_client -connect nexus.mycompany.com:8444?

[vids@l5123t ~]$ openssl s_client -connect nexus.mycompany.com:8444
CONNECTED(00000003)
depth=2 C = SE, O = mycompany (publ), OU = MYCOMPANY CV AB (publ), OU = MYCOMPANY IT AB, CN = MYCOMPANY-ROOT-CA-02
verify return:1
depth=1 C = SE, O = mycompany (publ), OU = MYCOMPANY CV AB (publ), OU = MYCOMPANY IT AB, CN = MYCOMPANY-ISSUING-CA-02
verify return:1
depth=0 CN = *.MYCOMPANY.com
verify return:1

Certificate chain
0 s:/CN=*.MYCOMPANY.com
i:/C=SE/O=mycompany (publ)/OU=MYCOMPANY CV AB (publ)/OU=MYCOMPANY IT AB/CN=MYCOMPANY-ISSUING-CA-02

Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
subject=/CN=*.MYCOMPANY.com
issuer=/C=SE/O=mycompany (publ)/OU=MYCOMPANY CV AB (publ)/OU=MYCOMPANY IT AB/CN=MYCOMPANY-ISSUING-CA-02

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2619 bytes and written 467 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-SHA256
Session-ID: 5AB209A8A787F0773DA1619FE626BA3C1AE3CCA5AFB4D55ACD9836B1EAA51C7B
Session-ID-ctx:
Master-Key: EA3B1FCBEC2F61F1754FDCC4DCE09EEC5567EEDF65E9071CA9EFC15989BE459B0D6540B1C8F9E23ED7
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1521617320
Timeout : 300 (sec)
Verify return code: 0 (ok)

closed

I think it shows TLSv1.2 as protocol...Can you suggest any fault looking at above output? Thanks in advance.

[di]

@vidyadharms Here is the problem:

Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The server needs to send a valid certificate.

[foxlollato]

Hello guys.
Every lib that uses URLLIB3 as the base can have cert verification skipped by injecting a var with cert path, or empty.
CURL_CA_BUNDLE="path/to/pem" python -m module ... ...
OR
CURL_CA_BUNDLE="" python -m module ... ...
The second just warn about cert and runs perfectly
In this case:
CURL_CA_BUNDLE="" python -m twine upload --repository-url http://nexus.mycompany.com:8081/repository/poc-project_python-packaging/ dist/*