debcrafters-packages team mailing list archive

Thread
Date

[Bug 2055450] Re: Uploading package to server with self-signed certificate on https fails despite adding cert to trust-store

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2055450@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 May 2025 14:35:30 -0000
Reply-to: Bug 2055450 <2055450@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: dput (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to dput in Ubuntu.
https://bugs.launchpad.net/bugs/2055450

Title:
  Uploading package to server with self-signed certificate on https
  fails despite adding cert to trust-store

Status in dput package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 22.04 with dput version 1.1.0ubuntu2.1, and python3 3.10.x,
  customers using a self-signed SSL for https are getting the following:

    File "/usr/bin/dput", line 37, in <module>
      sys.exit(load_entry_point('dput==1.1.0+ubuntu2.1', 'console_scripts', 'execute-dput')())
    File "/usr/share/dput/dput/dput.py", line 1235, in main
      upload_methods[method](
    File "/usr/share/dput/dput/methods/https.py", line 18, in upload
      return http.upload(
    File "/usr/share/dput/dput/methods/http.py", line 138, in upload
      conn.endheaders()
    File "/usr/lib/python3.10/http/client.py", line 1278, in endheaders
      self._send_output(message_body, encode_chunked=encode_chunked)
    File "/usr/lib/python3.10/http/client.py", line 1038, in _send_output
      self.send(msg)
    File "/usr/lib/python3.10/http/client.py", line 976, in send
      self.connect()
    File "/usr/lib/python3.10/http/client.py", line 1455, in connect
      self.sock = self._context.wrap_socket(self.sock,
    File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
      return self.sslsocket_class._create(
    File "/usr/lib/python3.10/ssl.py", line 1100, in _create
      self.do_handshake()
    File "/usr/lib/python3.10/ssl.py", line 1371, in do_handshake
      self._sslobj.do_handshake()
  ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1007)

  This seems to be an issue in how the SSL for the https connection is
  validated. Even after adding the self-signed certificate to the trust
  store with update-ca-certificates, this is not being read by the
  python code for validation of the cert on the mirror.

  The immediate solution has been to modify the main dput file to import
  the ssl library, and tell it to not validate the certificate for the
  connection:

  import ssl
  ssl._create_default_https_context = ssl._create_unverified_context

  This is discussed further at the following link:

  https://stackoverflow.com/questions/77639570/ssl-verification-problem-
  when-uploading-a-deb-package-using-dput

  This seems like a change in python behavior given this discussion:

  https://stackoverflow.com/questions/35569042/ssl-certificate-verify-
  failed-with-python3

  I am not sure what the best path forward is, I would think that
  ideally there may be an environment variable to tell python to read
  the certificate from the standard trust-store /etc/ssl/certs/ca-
  certificates.crt, or otherwise to skip certificate validation, without
  needing to modify dput directly.

  I do not see this happening on 20.04 with python 3.8.x and dput
  1.0.3ubuntu1.1, so this seems to be a relatively recent change in
  behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dput/+bug/2055450/+subscriptions