Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PIP under Debian wheezy don't work with "HTTP Error 403: SSL is required" #4817

Closed
andyzasl opened this issue Oct 27, 2017 · 15 comments
Closed
Labels
auto-locked Outdated issues that have been locked by automation type: support User Support

Comments

@andyzasl
Copy link

  • Pip version: 1.1-3
  • Python version: 2.7.3-4 deb7u1
  • Operating system: Debian Wheezy

Description:

Tried with clean wheezy env (cmd down).
Any pip command now fails. :(

Is there any known workaround?

What I've run:

pip install --upgrade pip
Cannot fetch index base URL http://pypi.python.org/simple/
Could not find any downloads that satisfy the requirement pip in /usr/lib/python2.7/dist-packages
No distributions at all found for pip in /usr/lib/python2.7/dist-packages
Storing complete log in /root/.pip/pip.log

pip.log:

/usr/bin/pip run on Fri Oct 27 07:28:51 2017
Getting page http://pypi.python.org/simple/pip
Could not fetch URL http://pypi.python.org/simple/pip: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/pip when looking for download links for pip in /usr/lib/python2.7/dist-packages
Getting page http://pypi.python.org/simple/
Could not fetch URL http://pypi.python.org/simple/: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/ when looking for download links for pip in /usr/lib/python2.7/dist-packages
Cannot fetch index base URL http://pypi.python.org/simple/

URLs to search for versions for pip in /usr/lib/python2.7/dist-packages:
* http://pypi.python.org/simple/pip/
Getting page http://pypi.python.org/simple/pip/
Could not fetch URL http://pypi.python.org/simple/pip/: HTTP Error 403: SSL is required
Will skip URL http://pypi.python.org/simple/pip/ when looking for download links for pip in /usr/lib/python2.7/dist-packages
Could not find any downloads that satisfy the requirement pip in /usr/lib/python2.7/dist-packages

No distributions at all found for pip in /usr/lib/python2.7/dist-packages

Exception information:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 104, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 245, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python2.7/dist-packages/pip/req.py", line 920, in prepare_files
    req_to_install, self.upgrade)
  File "/usr/lib/python2.7/dist-packages/pip/index.py", line 157, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for pip in /usr/lib/python2.7/dist-packages


@pfmoore
Copy link
Member

pfmoore commented Oct 27, 2017

That version of pip is ancient. You should upgrade to the latest version. If it's the pip supplied with your OS, use your OS tools to get a newer version of pip. If your OS vendor doesn't provide a newer version, then you can use get-pip.py (see the documentation for details). You should also ask your OS vendor why they are not providing a more up to date version of pip...

@andyzasl
Copy link
Author

It's really weird, because Wheezy end-of-life is planned at May 2018

@ltworf
Copy link

ltworf commented Oct 27, 2017

It's old, the current debian stable is 9, and you have 7. That one is still supported but I presume only bad security issues.

Newer debian stable releases have a backports repo, where you can find some newer software compiled with the older libraries.

@andyzasl
Copy link
Author

Unfortunally, I have this version deployed at prod, so, I can't upgrade ASAP.
Yep, this is old version, but why to block non-SSL access to repo?

@pfmoore
Copy link
Member

pfmoore commented Oct 27, 2017

It's the final stage of a security fix that we've been implementing for a while now. HTTP access to PyPI is inherently insecure. For a long time we've been telling people to change, and we've been redirecting HTTP access to HTTPS as a stopgap to help people who need time to make that change (there's still security risks with redirection, which is why it's not an acceptable permanent solution). We've now finally switched off the redirects, because people have had plenty of time. Unfortunately, we know there's some people who haven't made the change, relying on the redirects, but there's not much we can do about that. IMO, Debian should either have provided an upgrade path to newer versions of pip some time ago, or if they decided they didn't want to introduce the new functionality that would include, then they should have patched their version of the code to use HTTPS, and maintained that as a local security fix.

@pfmoore
Copy link
Member

pfmoore commented Oct 27, 2017

You could download needed files locally, store them on the server and use --find-links as a workaround. Or use a local PyPI mirror, using something like devpi. Neither option is ideal, I appreciate, but they may help you get around your immediate issues while you look for a better long-term solution.

@andyzasl
Copy link
Author

Thanks for detailed answer.

@pradyunsg pradyunsg added the type: support User Support label Oct 27, 2017
@dstufft
Copy link
Member

dstufft commented Oct 27, 2017

To be clear here, the security implication is that anyone in a position to MITM your connection to PyPI can execute arbitrary Python code on the machine that you're running pip install ... on. Obviously this is incredibly dangerous because it means that anyone with a privileged position on the network effectively has root on all of your machine, which is pretty much one of the worst case scenarios security wise.

You can work around this by simply updating pip to use the HTTPS URL, such as pip install -i https://pypi.python.org/simple/ ... but I recommend against only doing that, because unless you're using a version of pip >= 1.3, then even using HTTPS won't protect you from the above attack because it doesn't properly validate the HTTPS connection. It is a shame that Debian never provided a security update to python-pip in their repositories, but since they did not, your best options are going to be to find a way to get an updated version of pip and use that instead.

I'm going to go ahead and close this, since there's nothing actionable here for us to do.

@dstufft dstufft closed this as completed Oct 27, 2017
AlexanderS added a commit to AlexanderS/bcfg2 that referenced this issue Nov 3, 2017
The older python versions only ship with an old version of pip. Since some days
SSL is required for downloading from pypi. We have to specify this explicitly
because the older pip version only try http by default.
(pypa/pip#4817)
@chusiang
Copy link

chusiang commented Nov 5, 2017

Thanks for @dstufft ,

I can setup the Ansible 2.4.1 on Debian 7, now.

chusiang/ansible-jupyter.dockerfile@51e7a68

chusiang referenced this issue in chusiang/ansible-jupyter.dockerfile Nov 5, 2017
chongyic added a commit to intel/iotg-yocto-bsp-public that referenced this issue Nov 7, 2017
Fix is taken from
https://github.com/solettaproject/meta-soletta with commit-id
bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669.

SRC_URI now defaults to use SSL as the redirection of http to https
is now officially disabled as a result of security fix from PyPI
developer.

The link to the issue:
pypa/pip#4817

Signed-off-by: Chong Yi Chai <[email protected]>
chongyic added a commit to intel/iotg-yocto-bsp-public that referenced this issue Nov 7, 2017
Fix is taken from
https://github.com/solettaproject/meta-soletta with commit-id
bc7c4c09c80ec3da41cab38badfe2e1ef0ae6669.

SRC_URI now defaults to use SSL as the redirection of http to https
is now officially disabled as a result of security fix from PyPI
developer.

The link to the issue:
pypa/pip#4817

Signed-off-by: Chong Yi Chai <[email protected]>
@shigemk2
Copy link

Got a same error when installing ansible with pip.

  • Ubuntu 17.10
  • Python 3.6.2(pyenv)
  • pip 9.0.1
$ pip install -v ansible
Collecting ansible
  1 location(s) to search for versions of ansible:
  * http://pypi.python.org/simple/ansible/
  Getting page http://pypi.python.org/simple/ansible/
  Starting new HTTP connection (1): pypi.python.org
  "GET /simple/ansible/ HTTP/1.1" 403 16
  Could not fetch URL http://pypi.python.org/simple/ansible/: 403 Client Error: SSL is required for url: http://pypi.python.org/simple/ansible/ - skipping
  Could not find a version that satisfies the requirement ansible (from versions: )
Cleaning up...
No matching distribution found for ansible
Exception information:
Traceback (most recent call last):
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/commands/install.py", line 324, in run
    requirement_set.prepare_files(finder)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 380, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 554, in _prepare_file
    require_hashes
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_install.py", line 278, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/index.py", line 514, in find_requirement
    'No matching distribution found for %s' % req
pip.exceptions.DistributionNotFound: No matching distribution found for ansible

@alex
Copy link
Member

alex commented Nov 19, 2017

Check your pip's configuration: https://pip.pypa.io/en/stable/user_guide/#configuration and see if you've overridden the index pip uses.

@shigemk2
Copy link

Sorry for bothering you.

Got it.
pip install -v ansible -i https://pypi.python.org/simple/

Or pip.conf

[global]
timeout = 60
index-url = https://pypi.python.org/simple

@jezmck
Copy link

jezmck commented Nov 20, 2017

I had the same issue, and was also accused of changing settings.

If anyone wants a dodgy copy-pasta from someone who doesn't know what they're talking about, please use this: sudo pip install --upgrade -v pip -i https://pypi.python.org/simple/ followed by a reboot. I needed to create the config file too. See https://pip.pypa.io/en/stable/user_guide/#config-file for where.

Creating a config file doesn't stop me getting the same error.

------------------------------------------------------------
/usr/bin/pip-3.2 run on Mon Nov 20 22:00:28 2017
Downloading/unpacking sn3218

  Getting page http://pypi.python.org/simple/sn3218
  Could not fetch URL http://pypi.python.org/simple/sn3218: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/sn3218 when looking for download links for sn3218
  Getting page http://pypi.python.org/simple/
  Could not fetch URL http://pypi.python.org/simple/: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/ when looking for download links for sn3218
  Cannot fetch index base URL http://pypi.python.org/simple/

  URLs to search for versions for sn3218:
  * http://pypi.python.org/simple/sn3218/
  Getting page http://pypi.python.org/simple/sn3218/
  Could not fetch URL http://pypi.python.org/simple/sn3218/: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/sn3218/ when looking for download links for sn3218
  Could not find any downloads that satisfy the requirement sn3218

No distributions at all found for sn3218

Exception information:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/pip/basecommand.py", line 104, in main
    status = self.run(options, args)
  File "/usr/lib/python3/dist-packages/pip/commands/install.py", line 245, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python3/dist-packages/pip/req.py", line 978, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/usr/lib/python3/dist-packages/pip/index.py", line 157, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
pip.exceptions.DistributionNotFound: No distributions at all found for sn3218

@pageauc
Copy link

pageauc commented May 7, 2018

You can manually update pip on wheezy per https://pip.pypa.io/en/stable/installing/#installing-with-get-pip-py

cd ~
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
sudo python get-pip.py
rm get-pip.py

I needed to install python-dateutil for my PI-TIMOLO project and it was failing on wheezy due to ssl problem. I was able to update pip to the latest version on my Raspberry Pi running Raspbian Wheezy per commands above. Now pip does the installs OK without ssl failure.
Claude ...

@lock
Copy link

lock bot commented Jun 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Jun 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-locked Outdated issues that have been locked by automation type: support User Support
Projects
None yet
Development

No branches or pull requests

10 participants