#StackBounty: #python #docker #pip #ssl-certificate Pip upgrade cannot install packages

Bounty: 150

I have jumped around for some time now to solve this, and I cannot seem to get it working. I have a docker container where I set up an nvidia image for machine learning. I install all python dependencies. I then start with the pip package installations. I get the first error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/5e/c4/6c4fe722df5343c33226f0b4e0bb042e4dc13483228b4718baf286f86d87/certifi-2020.6.20-py2.py3-none-any.whl (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

Simple enough I have a certificate to deal with Cisco umbrella. I can then install all packages nice and easy. However to be able to install newest packages I need to upgrade pip, and upgrading works fine. After pip is upgraded to 20.2.3 I suddenly get an error again:

Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) - skipping

I have then googled around and tried the suggestions I stumbled upon:


I found that the system time was wrong – it worked for the initial pip version, which was weird. However changing the time did not help the issue.


I added a pip.conf file with global tags for trusted hosts and for certifications. Still the same error persists.

pip install

I have tried with different trusted host flags and also the cert flag, which should already be specified from the conf file – if I understand it correctly. Nevertheless, neither method worked.

What to do

I am kind of at a loss right now, installing the certificate in the container allows me to install packages with pip 9.0.1 (default in the system) after upgrading to pip 20.2.3. I cannot get it to work with any package. I have tried multiple pip versions – but as soon as I upgrade I lose the certificate trying to reinstall it with

ADD Cisco_Umbrella_Root_CA.cer /usr/local/share/ca-certificates/Cisco_Umbrella_Root_CA.crt
RUN chmod 644 /usr/local/share/ca-certificates/Cisco_Umbrella_Root_CA.crt
RUN update-ca-certificates --fresh

Anybody has an idea how this can happen?



 RUN curl -v -k -H"Host; files.pythonhosted.org" https://files.pythonhosted.org/packages/8a/fd/bbbc569f98f47813c50a116b539d97b3b17a86ac7a309f83b2022d26caf2/Pillow-6.2.2-cp36-cp36m-manylinux1_x86_64.whl
  ---> Running in ac095828b9ec
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
   0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying ::ffff:
 * Connected to files.pythonhosted.org (::ffff: port 443 (#0)
 * ALPN, offering h2
 * ALPN, offering http/1.1
 * successfully set certificate verify locations:
 *   CAfile: /etc/ssl/certs/ca-certificates.crt
   CApath: /etc/ssl/certs
 } [5 bytes data]
 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
 } [512 bytes data]
 * TLSv1.3 (IN), TLS handshake, Server hello (2):
 { [85 bytes data]
 * TLSv1.2 (IN), TLS handshake, Certificate (11):
 { [3177 bytes data]
 * TLSv1.2 (IN), TLS handshake, Server finished (14):
 { [4 bytes data]
 * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
 } [262 bytes data]
 * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
 } [1 bytes data]
 * TLSv1.2 (OUT), TLS handshake, Finished (20):
 } [16 bytes data]
 * TLSv1.2 (IN), TLS handshake, Finished (20):
 { [16 bytes data]
 * SSL connection using TLSv1.2 / AES256-GCM-SHA384
 * ALPN, server did not agree to a protocol

From the last line it can be seen that they do not agree on protocol and the communication fails

Get this bounty!!!

#StackBounty: #ssl-certificate #svn SVN accept expired certificate with expired root certificate

Bounty: 50

I need to push some code to a server which has woefully out of date certs. The cert expired 2000 days ago, and the root cert expired a month ago. I attempted to use the solutions posted in dozens of answers, using both –trust-server-cert and –trust-server-cert-failures options to force SVN to accept the certificate, however it was not effective. I receive the same error when attempting to authenticate with –username –password.

enter image description here

Note: the authentication cache was cleared before each attempt.

Since it is a 500 error, I think there is a problem server side, in which case I’m not entirely sure which certificate the error is referring to. However I do not have access to the server (otherwise I would have just updated the cert).

Get this bounty!!!

#StackBounty: #ssl #ssl-certificate #soapui SoapUI: Connection has been shutdown: javax.net.SSLHandshakeException

Bounty: 50

Currently using the open source version of SoapUI 5.5.0. I am trying to run a REST Request. In Postman I am able to bypass this issue by turning off SSL verification but that does not seem possible in SoapUI.

When I try to run a request I am getting the following error:

javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

I have tried adding:

  • set JAVA_OPTS=%JAVA_OPTS% -Dsoapui.https.protocols="SSLv3,TLSv1.2" to SoapUI.bat
  • -Dsoapui.https.protocols=TLSv1.2,SSLv3 to SoapUI-X.X.X.vmoptions

Neither of these solutions work. I am not sure that the problem exists on the SoapUI side anymore.

Get this bounty!!!

#StackBounty: #ssl #iis #ssl-certificate TLS certificates for various domains in organisation

Bounty: 50

At our organisation we have one main domain plus a few other secondary domains, which are not subdomains of the former. Something like this:

  • Main domain: mycorp.org
  • Secondary domain: another.org
  • Secondary domain: yetanother.org

We are hosting various web sites on these domains on our own server, using Windows Server and IIS.

We would like to deploy TLS certificates for all domains. From my preliminary research, I gather than most certificate vendors offer company-wide certificates that cover any subdomain from a given one, such as *.mycorp.org, but this wouldn’t work for us as we work with totally different domains. In principle I would think that we need multiple single-domain certificates, but as I don’t have much experience with certificates, I would like some expert advice:

  1. Do we really need to get separate single-domain certificates?
  2. Can we deploy multiple certificates (one per domain) on to the same IIS server, which is hosting all the web sites?
  3. Is there any additional best practice or recommendation I should be aware of in this setting?

Many thanks.

Get this bounty!!!

#StackBounty: #ssl #ssl-certificate #java #openssl #jboss SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error on mutual authendication

Bounty: 50

I have configured JBOSS 5 with SSLVerifyClient="require"

  1. Client contains, server CA certs and there own certs(JDK 1.8).
  2. Server contains, client CA certs and there own certs(JDK 1.6).

For this case both CA’s are different, when we are trying to communicate to that server and getting tlsv1 alert decrypt error

I have no clues what was the exception it is ?

During Curl,

Unknown SSL protocol error in connection

During OpenSSL:

SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A 
SSL_connect:error in SSLv3 flush data 
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Get this bounty!!!

#StackBounty: #glassfish #ssl-certificate Java security error when executing Glassfish 5.1 asadmin, but certificate is valid

Bounty: 100

I’m trying to deploy an Oracle ORDS 19.1 war file in Glassfish 5.1.0.

I got a deployment error, and I think I’ve found a solution.

But, when I try to run the fix, I get another error, that doesn’t make any sense to me.
Under Glassfish 5.1.0:

[oracle@secure-web-server-dvl glassfish]$ bin/asadmin set configs.config.server-config.cdi-service.enable-implicit-cdi=false
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Tue Apr 03 18:09:20 EDT 2018
Command set failed.

This is an SSL certificate expired error. But, my certs are not expired.

I used keytool to check validity of all certificates in cacerts.jks and keystore.jks.

Everything is valid. Can someone explain the real problem here?


Get this bounty!!!

#StackBounty: #ios #ssl-certificate #ios12 #ssl-client-authentication create iOS 12 NWConnection that uses client cert

Bounty: 50

I’m trying to set up an NWConnection that does client side certs:

self.connection = NWConnection(
    host: NWEndpoint.Host("servername"),
    port: NWEndpoint.Port(integerLiteral: 8899),
    using: .tls)

But I think that simple .tls class var needs to be a much more involved NWParameters object, but I’m at a complete loss (documentation is pretty sparse) as to what I create there to attach the client certs to the parameters. Nor do I know how I even move from .crt/.pem file to something the app manages programatically.

What is an example of how one would configure the NWParameters to support the client certs?


I’m trying to set up a client connection to communicate with an MQTT broker using client side certificates. I’ve been able to proof-of-concept this all on the Linux side using command line. The MQTT broker is set to require client cert, and a command like:

mosquitto_pub -h servername -p 8899 -t 1234/2/Q/8 -m myMessage --cafile myChain.crt --cert client.crt --key client.pem

does the job nicely. But OpenSSL is enough a black box (to me) on iOS that I don’t know where to go from here. I have been able to get all of the other MQTT communications work with my NWConnection instances, including server side TLS and even if it’s self signed.

Get this bounty!!!