Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to run uv behind a corporate proxy? #1474

Closed
NiklasRosenstein opened this issue Feb 16, 2024 · 12 comments · Fixed by #1512
Closed

How to run uv behind a corporate proxy? #1474

NiklasRosenstein opened this issue Feb 16, 2024 · 12 comments · Fixed by #1512
Labels
network Network connectivity e.g. proxies, DNS, and SSL question Asking for clarification or support

Comments

@NiklasRosenstein
Copy link

Our corporate proxy inspects traffic and thus inserts its own certificate that has to be configured to trust across applications on the system. I do this by setting REQUESTS_CA_BUNDLE and SSL_CERT_FILE, etc. It seems that uv doesn't respect either of those. Is there another environment variable that it takes into account?

error: error sending request for url (https://pypi.org/simple/protobuf/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer
@nevoodoo
Copy link

nevoodoo commented Feb 16, 2024

Run into the same problem here, both those variables are not respected by uv but works fine with pip, pipenv

EDIT: I see the discussion is already open in #1339

@kvelicka
Copy link

#1339 seems like a near-duplicate but I think it's important to distinguish "treat this host as trusted" and "verify the trustworthiness of this host, but using a user-specified certificate". For a corporate environment the latter option is much prefereable as we'd rather not compromise on security. Having said that, resolving #1339 would allow corporate users to at least try uv in earnest so it would be some progress!

@j-baker
Copy link

j-baker commented Feb 16, 2024

This might have a much simpler solution - basically, if you changed your reqwest feature flag from rustls-tls (which means rustls-tls-webpki-roots) to rustls-tls-native-roots, it'd use the operating system's truststore (which corporate certs are typically added to), as well as using SSL_CERT_FILE and other standard config mechanisms.

https://github.com/seanmonstar/reqwest/blob/master/Cargo.toml#L44
https://github.com/rustls/rustls-native-certs

@zanieb
Copy link
Member

zanieb commented Feb 16, 2024

I actually made this exact change in #609 but it didn't get merged, we'll reconsider.

@c3pmark
Copy link

c3pmark commented Feb 16, 2024

This would be very useful for me too. We don't have a proxy that intercepts HTTPS, but we do use an internal index with a certificate signed by our internal CA. Having to specify REQUESTS_CA_BUNDLE everywhere is a huge pain point with pip, so if the system trust store could be used that would save a ton of hassle.

BurntSushi pushed a commit that referenced this issue Feb 16, 2024
Closes #1474 

Using the `rustls-tls-native-roots` feature

> `rustls-tls`: Enables TLS functionality provided by rustls. Equivalent
to rustls-tls-webpki-roots.
>
> `rustls-tls-webpki-roots`: Enables TLS functionality provided by
rustls, while using root certificates from the webpki-roots crate.
>
> `rustls-tls-native-roots`: Enables TLS functionality provided by
rustls, while using root certificates from the rustls-native-certs
crate.

Additional context:

- seanmonstar/reqwest#1554
- encode/httpx#302
- [Should I use the native certs or
webpki-roots?](https://github.com/rustls/rustls-native-certs#should-i-use-this-or-webpki-roots)

Prior discussion at #609
@carlosjourdan
Copy link

carlosjourdan commented Feb 27, 2024

I'm still facing the same issue on version 0.1.11

Corporate network with ssl inspection firewall, custom ca on every site. Root certificate is trusted by windows, and environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE are setup. Python requests work fine. Pip install as well. uv fails with error below.

error: error sending request for url (https://pypi.org/simple/zeep/): error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: error trying to connect: invalid peer certificate: UnknownIssuer
  Caused by: invalid peer certificate: UnknownIssuer

@dorschw
Copy link

dorschw commented Aug 27, 2024

in WSL, running windows-certs-2-wsl, update-ca-certificates, then

export SSL_CERT_DIR=/etc/ssl/certs
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

did the trick.

@a087861
Copy link

a087861 commented Sep 6, 2024

Following as I am in a similar boat :-/

On mac with apple silicon behind proxy. Tried running uv venv -p 3.8 which resulted in an 'invalid peer certificate' error. I think this is due to the same thing that affects others in this discussion but certs aren't my forte so I may be wrong.

@zanieb
Copy link
Member

zanieb commented Sep 6, 2024

@a087861 try using the --native-tls flag

@a087861
Copy link

a087861 commented Sep 6, 2024

@zanieb that worked like a charm - thanks!

@Gr3at
Copy link

Gr3at commented Dec 5, 2024

@a087861 try using the --native-tls flag

Concern

this might work for linux based systems (including wsl) but in Windows it greatly depends on several preconditions (such as the selected shell).

How i bypassed the issue

In my case i was able to install packages using the following on Windows 10 using git-bash as my shell of choice.

export HTTPS_PROXY=<company-proxy-here>
uv add --allow-insecure-host pypi.org --allow-insecure-host files.pythonhosted.org <package_name>

Suggested Permanent Solution

IMO a great flag addition similar to the --native-tls would be to introduce a --custom-ca-file.
This would allow to specifically define what certs needs to be utilized to make any uv requests.

Not sure how difficult this is to add.
I would like to be able to do something like the following:

export HTTPS_PROXY=<company-proxy-here>
uv add --custom-ca-file <path to company internal root ca cert or bundle of certs> <package_name>

Update

As @zanieb mentioned there is already an env variable in place to provide the desired functionality.
So now the following works like a charm

export HTTPS_PROXY=<company-proxy-here>
export SSL_CERT_FILE=<path to company internal root ca cert or bundle of certs>
uv add <package_name>

Thanks @zanieb for pointing this out.

@zanieb
Copy link
Member

zanieb commented Dec 5, 2024

You can use the standard SSL_CERT_FILE variable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
network Network connectivity e.g. proxies, DNS, and SSL question Asking for clarification or support
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants