Newbie problem, SSL related

[Fr3d-P]

Hi, my question must be very easy, it appears when trying to folow the tutorial here
https://docs.beeware.org/en/latest/tutorial/tutorial-1.html
but all that I tried didn't work. I'm surprised the question wasn't already asked

I'm on windows 10, I followed the tutorial until trying puip install briefcase
There, I had a lot of errors due to SSL
Could not fetch URL https://pypi.org/simple/briefcase/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443):

I didn't succeed installing someting in python to enable SSL correctly, so I went over with
pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org briefcase

It worked, and I moved forward, but the problem reapears when launching
briefcase dev
It seems that briefcase-dev silently launch pip install, so I'm stuck again

How can I install (easy way) something to content pipi with SSL?

[freakboy3742]

This is definitely an odd one - I can't say I've seen it before. You're correct that Briefcase internally invokes pip; but it should be using SSL by default. pip has required SSL connections for several years, so this isn't a recent change.

Does pip by itself work from the command line? i.e., can you manually install httpx into your virtual environment with pip install httpx? Or do you need to pass in the extra --trusted-host arguments? If that fails, then it also explains why Briefcase is having problems - it points at something being wrong with your Python install (or possibly the root certificates on your machine).

One thing to check - what version of pip are you running? If you've got a really old version of pip, that might be causing problems; upgrading (pip install -U pip) may improve things.

[Fr3d-P]

Thanks for your answer.

I can't install anything with pip without the --trusted-host argument.
My pip version was 21.3.1, I upgraded to 3.10.4 with no luck
My Python version was 3.10 I upgraded to 3.10.4, but nothing worked better

If I try pip instal httpx I've got
5 lines of
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)'))': /simple/httpx/
then
Could not fetch URL https://pypi.org/simple/httpx/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/httpx/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:997)'))) - skipping ERROR: Could not find a version that satisfies the requirement httpx (from versions: none) ERROR: No matching distribution found for httpx

[Fr3d-P]

I resolved my problem with this workaround
created a pip folder in C:\ProgramData
Created a pip.ini document in the pip folder with this

[global]
trusted-host = pypi.python.org
               pypi.org
               files.pythonhosted.org

[freakboy3742]

To be very clear - --trusted-host is a "just make it work" workaround, not a good resolution to the problem.

The "trusted-host" option essentially means "ignore any SSL signatures on HTTPS". It means any connection to PyPI is susceptible to a MITM attack, because your connection will not be doing any validation that the data is coming from a trusted source.

If pip is not working from the command line, and you're using the version of pip provided withPython 3.10.4, that suggests there is something fundamentally weird going on - my guess is that your machine is missing some root SSL certificates.

If you want to try and diagnose, this StackOverflow post has a procedure you can follow. Unfortunately, the vast majority of the answers on that page suggest the same "--trusted-host" option you've used.

[t-arn]

Are you behind a reverse proxy?