Unable to access HTTPS URLs on Windows securely #1581
Comments
jaraco
added
bug
|
I did inspect to see if the certificates were present, and they are: (that's without injecting certifi manually) So it does seem like it should have suitable certificates to avoid this error. I did find that running |
|
I have the same issue on Arch Linux. It only started when I updated to the 3.2.2-2 version of the httpie Arch package. Edit: I didn't update my packages separately, so it's possible that it was an update to $ https --debug google.com
HTTPie 3.2.2
Requests 2.32.3
Pygments 2.17.2
Python 3.12.3 (main, Apr 23 2024, 09:16:07) [GCC 13.2.1 20240417]
/usr/bin/python
Linux 6.9.1-arch1-1
<Environment {'apply_warnings_filter': <function Environment.apply_warnings_filter at 0x73a7a788e7a0>,
'args': Namespace(),
'as_silent': <function Environment.as_silent at 0x73a7a788e660>,
'colors': 256,
'config': {'default_options': []},
'config_dir': PosixPath('/home/oboro/sync/config/httpie'),
'devnull': <property object at 0x73a7a78854e0>,
'is_windows': False,
'log_error': <function Environment.log_error at 0x73a7a788e700>,
'program_name': 'https',
'quiet': 0,
'rich_console': <functools.cached_property object at 0x73a7a89905f0>,
'rich_error_console': <functools.cached_property object at 0x73a7a79964b0>,
'show_displays': True,
'stderr': <_io.TextIOWrapper name='<stderr>' mode='w' encoding='utf-8'>,
'stderr_isatty': True,
'stdin': <_io.TextIOWrapper name='<stdin>' mode='r' encoding='utf-8'>,
'stdin_encoding': 'utf-8',
'stdin_isatty': True,
'stdout': <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>,
'stdout_encoding': 'utf-8',
'stdout_isatty': True}>
<PluginManager {'adapters': [],
'auth': [<class 'httpie.plugins.builtin.BasicAuthPlugin'>,
<class 'httpie.plugins.builtin.DigestAuthPlugin'>,
<class 'httpie.plugins.builtin.BearerAuthPlugin'>],
'converters': [],
'formatters': [<class 'httpie.output.formatters.headers.HeadersFormatter'>,
<class 'httpie.output.formatters.json.JSONFormatter'>,
<class 'httpie.output.formatters.xml.XMLFormatter'>,
<class 'httpie.output.formatters.colors.ColorFormatter'>]}>
>>> requests.request(**{'auth': None,
'data': RequestJSONDataDict(),
'headers': <HTTPHeadersDict('User-Agent': b'HTTPie/3.2.2')>,
'method': 'get',
'params': <generator object MultiValueOrderedDict.items at 0x73a7a76094e0>,
'url': 'https://google.com'})
https: error: SSLError: HTTPSConnectionPool(host='google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)'))) while doing a GET request to URL: https://google.com/
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/urllib3/connectionpool.py", line 715, in urlopen
httplib_response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/urllib3/connectionpool.py", line 404, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.12/site-packages/urllib3/connectionpool.py", line 1058, in _validate_conn
conn.connect()
File "/usr/lib/python3.12/site-packages/urllib3/connection.py", line 419, in connect
self.sock = ssl_wrap_socket(
^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/ssl.py", line 1042, in _create
self.do_handshake()
File "/usr/lib/python3.12/ssl.py", line 1320, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/requests/adapters.py", line 667, in send
resp = conn.urlopen(
^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/urllib3/connectionpool.py", line 799, in urlopen
retries = retries.increment(
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/https", line 8, in <module>
sys.exit(main())
^^^^^^
File "/usr/lib/python3.12/site-packages/httpie/__main__.py", line 9, in main
exit_status = main()
^^^^^^
File "/usr/lib/python3.12/site-packages/httpie/core.py", line 162, in main
return raw_main(
^^^^^^^^^
File "/usr/lib/python3.12/site-packages/httpie/core.py", line 136, in raw_main
handle_generic_error(propagated_exc, annotation=annotation)
File "/usr/lib/python3.12/site-packages/httpie/core.py", line 100, in raw_main
exit_status = main_program(
^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/httpie/core.py", line 213, in program
for message in messages:
File "/usr/lib/python3.12/site-packages/httpie/client.py", line 113, in collect_messages
response = requests_session.send(
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/requests/adapters.py", line 698, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)'))) |
|
@michaelskyba to fix just downgrade python-requests package This fix works with the latest httpie version. |
|
Hello, Had the same issue & I mange to fix it by following this PS D:\Nabil> https pie.dev/
https: error: SSLError: HTTPSConnectionPool(host='pie.dev', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)'))) while doing a GET request to URL: https://pie.dev/
PS D:\Nabil> pip install pip_system_certs
Collecting pip_system_certs
Downloading pip_system_certs-4.0-py2.py3-none-any.whl.metadata (1.6 kB)
Collecting wrapt>=1.10.4 (from pip_system_certs)
Downloading wrapt-1.16.0-cp312-cp312-win_amd64.whl.metadata (6.8 kB)
Downloading pip_system_certs-4.0-py2.py3-none-any.whl (6.1 kB)
Downloading wrapt-1.16.0-cp312-cp312-win_amd64.whl (37 kB)
Installing collected packages: wrapt, pip_system_certs
Successfully installed pip_system_certs-4.0 wrapt-1.16.0
PS D:\Nabil> https pie.dev/
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
CF-Cache-Status: DYNAMIC
CF-RAY: 891d70975a850350-CDG
Connection: keep-alive
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Jun 2024 00:21:13 GMT
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TdxupDfRqex0HBSyXvHePa5NNNf1BfKIpG%2Fbia9DlV0riq%2FnWks5UVEaRyHRk4gBdQGc61La1SvGCD4osRYZ89XHn5jC4SfhY8O0d%2FBYiN%2BTYdvMqye%2FbitwQxh2fG62gBlgQU4%2F"}],"group":"cf-nel","max_age":604800}
Server: cloudflare
Transfer-Encoding: chunked
alt-svc: h3=":443"; ma=86400
<!DOCTYPE html>
<html lang="en">
<head> |
|
On arch, doing this fixed it: pipx install httpie
pipx inject httpie pip-system-certs |
This comment was marked as spam.
This comment was marked as spam.
|
If it's an issue with requests, has it been reported to requests? Is the breakage by design? Are they tracking the issue? I found psf/requests#6730, but it mentions 2.32.3 explicitly and suggests 2.32.2 does not have the issue. Indeed, I confirmed that |
According to seleniumbase/SeleniumBase#2838, 2.32.2 has another important issue (psf/requests#6715), which is why I think going all the way down to 2.31 is necessary. I'm not sure whether it has an impact on httpie, though. |
2 tasks
This comment was marked as spam.
This comment was marked as spam.
|
✅ Fixed in v3.2.3 |
|
I am still getting this error with version |
AFAICT Arch's httpie 3.2.3 doesn't involve any corresponding downgrade to the python-requests package, since the official packaging model doesn't support such partial updates, so it will still be broken unless downgraded manually |
|
@michaelskyba Thanks! I was not aware that Arch does not support this. I have downgraded manually to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
Minimal reproduction code and steps
pipx install httpiehttps google.comCurrent result
Expected result
The resource should be loaded (ideally securely). It should be easy to use. Error messages should be informative and give the user direction on how to remedy the problem. Install docs should provide guidance on how to remedy the situation.
Debug output
Please re-run the command with
--debug, then copy the entire command & output and paste both below:Additional information, screenshots, or code examples
In #792, another user had this issue and the recommendation was to bypass the security checks. If that's the recommended approach, and httpie want's to be a human-friendly CLI, it should just fall back to an insecure connection. Even better would be to provide the kinds of friendly experiences like Firefox or Edge provide and enable proper certificate validation of trusted roots.
I did try installing certifi, hoping that would improve the situation (
pipx inject httpie certifi) but that did not help.I did also try installing httpie using the recommended chocolatey installer, but that failed due to #1580.
The text was updated successfully, but these errors were encountered: