-
Notifications
You must be signed in to change notification settings - Fork 13
Resolving certificate problems on OSX
When trying to use the qgis-cloud-plugin on OSX, you can encounter the "certificate verify failed: unable to get local issuer certificate" error on OSX.
Before continuing with the rest of the text below, please first test if this https://github.com/qgis/QGIS-Mac-Packager/issues/32#issuecomment-671335928 fixes your problem. If it does then please report back to [email protected] to let us know.
See the chapter "Security" for information about how secure this solution is.
Launch OSX's Terminal application. You can do that by pressing the cmd and the Space key. Now type Terminal.
The Terminal application should now launch. Write the commands below one by one inside the Terminal and followed by the enter key.
First we need to get pip:
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
The output of the command should look similar to this:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1764k 100 1764k 0 0 7204k 0 --:--:-- --:--:-- --:--:-- 7174k
/Applications/QGIS3.4.app/Contents/Frameworks/Python.framework/Versions/Current/bin/python3 get-pip.py
The path above - /Applications/QGIS3.4.app/ will depend on the QGIS Version you have downloaded. For the upcoming QGIS 3.10 release you will have to replace the above path with /Applications/QGIS3.10.app/. It also depends on where you have installed QGIS. If you have installed it in a different path then the given default path then you will have to adapt the above path accordingly.
Executing the command should look similar to the following:
WARNING: pip is being invoked by an old script wrapper. This will fail in a future version of pip.
Please see https://github.com/pypa/pip/issues/5599 for advice on fixing the underlying issue.
To avoid this problem you can invoke Python with '-m pip' instead of running pip directly.
Defaulting to user installation because normal site-packages is not writeable
Collecting pip
Downloading pip-20.0.2-py2.py3-none-any.whl (1.4 MB)
|████████████████████████████████| 1.4 MB 2.5 MB/s
Installing collected packages: pip
WARNING: The scripts pip, pip3 and pip3.7 are installed in '/Users/john/Library/Python/3.7/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed pip-20.0.2
The path displayed above will contain your username. So instead of john you will see your own username. Please mark your username and replace john everywhere below with your own username.
The certifi Python package contains a collection of certificates, that Python can use.
/Users/john/Library/Python/3.7/bin/pip install certifi
The output of this command should look like this:
Defaulting to user installation because normal site-packages is not writeable
Collecting certifi
Using cached certifi-2019.11.28-py2.py3-none-any.whl (156 kB)
Installing collected packages: certifi
Successfully installed certifi-2019.11.28
sudo su
mkdir -p /usr/local/etc/openssl
chown john /usr/local/etc/openssl
Please replace john above with your own username.
curl https://raw.githubusercontent.com/qgiscloud/qgis-cloud-plugin/master/support/install_certificates_on_OSX.command -O
Execute the downloaded script:
/Applications/QGIS3.4.app/Contents/Frameworks/Python.framework/Versions/Current/bin/python3 install_certificates_on_OSX.command
The output should look like this:
Dir: /usr/local/etc/openssl
-- removing any existing file or link
-- creating symlink to certifi certificate bundle
-- setting permissions
-- update complete
It is important that the path shown in the line starting with Dir: is the same as the path you have created with mkdir before. If it's not then you will have to adapt the commands in the corresponding installation step accordingly and reexecute them.
You should now be able to use the qgis-cloud-plugin from QGIS without errors.
If you encounter problems and you want to debug stuff yourself, then you can use this script. You launch the script like this:
/Applications/QGIS3.4.app/Contents/Frameworks/Python.framework/Versions/Current/bin/python3 test_https_request_on_OSX.py
If everything is OK, then there should be no output. If your setup has problems, then you should see an error.
certifi's SSL certificates package gets installed into /usr/local/etc which is a system-wide directory and not one for the installing user only. So the certificates installed in that directory will have an inpact on every application that has the same search path and is is compiled agains openssl (?) and on all users running those applications.
The certificate belongs to the user, so if the user has security issues then that will impact all applications and all users as described before.
Also in order to keep up with the changing set of root SSL certificates, you should regularily update the certifi package.
It would be nice if the security properties of this solution could be improved upon, contributions are wellcome.
This problem that Python is not using the root certificates that come preinstalled with OSX. Python is using its own certificates. However in the places where Python is searching for certificates there are none.
For a reason unknown to this author, Python is not using OSX' own certificates. Also, it seems like Python comes without certificates too. So first we need to get the certificates and then install them in the default openssl search path (since Python seems to be using openssl).
- pip installation instructions taken from: https://pip.pypa.io/en/stable/installing/#installing-with-get-pip-py
- certifi package: https://pypi.org/project/certifi/