SSL error, but custom certificate set

[Dallery]

Hi,

I would like to know if my SSL error is from my system configuration or if it's a bug in the application, because i set a custom SSL certificate, the log tell me it detected it : Certificate authority (CA) bundle to use: D:\9_qgis_profiles\gitlab-in-villeneuvedascq-fr.pem, but the error says [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found. I can git push, git clone, etc. to my gitlab, so it's just a trouble with this app. I tried this command too, but same error : $env:QDT_SSL_USE_SYSTEM_STORES='true'; qdt -vvv). So, i don't understand what happen, so i'm thinking you can help me. There is the complete log, thanks in advance :

$env:REQUESTS_CA_BUNDLE="D:\9_qgis_profiles\gitlab-in-villeneuvedascq-fr.pem"; qdt -vvv
2025-04-09 10:38:42||INFO||journalizer||configure_logger||110||Log file: C:\Users\ddallery\.cache\qgis-deployment-toolbelt\logs\QGISDeploymentToolbelt_0.36.3.log
2025-04-09 10:38:42||INFO||journalizer||headers||118||========== QGIS Deployment Toolbelt - 0.36.3 ==========
2025-04-09 10:38:42||DEBUG||journalizer||headers||119||Operating System: Windows-10-10.0.19045-SP0
2025-04-09 10:38:42||DEBUG||journalizer||headers||124||Architecture: 64bit
2025-04-09 10:38:42||DEBUG||journalizer||headers||125||Computer: XXX
2025-04-09 10:38:42||DEBUG||journalizer||headers||126||Launched by user: ddallery
2025-04-09 10:38:42||DEBUG||journalizer||headers||129||OS Domain: XXX
2025-04-09 10:38:42||DEBUG||connectionpool||_new_conn||241||Starting new HTTP connection (1): XXX:80
2025-04-09 10:38:42||DEBUG||connectionpool||_new_conn||241||Starting new HTTP connection (1): XXX:80
2025-04-09 10:38:48||DEBUG||proxies||get_proxy_settings||102||No proxy settings found in environment vars nor OS settings nor PAC File.
2025-04-09 10:38:48||DEBUG||journalizer||headers||136||No network proxies detected
2025-04-09 10:38:48||DEBUG||journalizer||headers||139||Installed certificate authority (CA) bundle: D:\9_qgis_profiles\.venv\Lib\site-packages\certifi\cacert.pem
2025-04-09 10:38:48||DEBUG||journalizer||headers||140||Default certificate authority (CA) bundle: D:\9_qgis_profiles\.venv\Lib\site-packages\certifi\cacert.pem
2025-04-09 10:38:48||DEBUG||journalizer||headers||141||Certificate authority (CA) bundle to use: D:\9_qgis_profiles\gitlab-in-villeneuvedascq-fr.pem
2025-04-09 10:38:48||DEBUG||str2bool||str2bool||56||Value False was already a bool.
2025-04-09 10:38:48||DEBUG||cli||main||211||Log level set: Level 4
2025-04-09 10:38:48||DEBUG||deployment||run||122||Running deploy with Namespace(opt_logfile_disabled=True, verbosity=4, proxy_http=None, command='deploy', scenario_filepath=WindowsPath('scenario.qdt.yml'), func=<function run at 0x00000155B0307880>)
2025-04-09 10:38:48||INFO||deployment||run||169||Running scenario: Scenario de deploiement des profils
2025-04-09 10:38:48||DEBUG||deployment||run||179||Setting environment variable QDT_SCENARIO_VALIDATION = True.
2025-04-09 10:38:48||DEBUG||constants||get_qdt_working_directory||134||QDT working folder - Using default path: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:48||INFO||deployment||run||200||QDT working folder: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:48||DEBUG||orchestrator||__init__||73||3 environment variables related to QDT:
2025-04-09 10:38:48||DEBUG||orchestrator||__init__||75||QDT_SCENARIO_VALIDATION=True
2025-04-09 10:38:48||DEBUG||orchestrator||__init__||75||QDT_LOCAL_QDT_WORKDIR=C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:48||DEBUG||orchestrator||__init__||75||QDT_TMP_RUNNING_SCENARIO_ID=scenario-affaires-scolaires
2025-04-09 10:38:48||DEBUG||deployment||run||209||Filtering valid steps in scenario...
2025-04-09 10:38:48||INFO||deployment||run||219||Running step: manage-env-vars
2025-04-09 10:38:48||DEBUG||constants||from_opersys||255||Getting configuration for current operating system: win32
2025-04-09 10:38:48||DEBUG||constants||get_qdt_working_directory||134||QDT working folder - Using default path: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:48||DEBUG||generic_job||__init__||68||QDT working folder: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:48||DEBUG||generic_job||__init__||83||Installed QGIS profiles folder: C:\Users\ddallery\AppData\Roaming\QGIS\QGIS3\profiles
2025-04-09 10:38:49||DEBUG||job_environment_variables||run||155||Job manage-env-vars ran successfully.
2025-04-09 10:38:49||INFO||deployment||run||219||Running step: qgis-installation-finder
2025-04-09 10:38:49||DEBUG||constants||from_opersys||255||Getting configuration for current operating system: win32
2025-04-09 10:38:49||DEBUG||constants||get_qdt_working_directory||134||QDT working folder - Using default path: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:49||DEBUG||generic_job||__init__||68||QDT working folder: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:49||DEBUG||generic_job||__init__||83||Installed QGIS profiles folder: C:\Users\ddallery\AppData\Roaming\QGIS\QGIS3\profiles
2025-04-09 10:38:49||DEBUG||job_qgis_installation_finder||run_needed||135||'QDT_QGIS_EXE_PATH' is not defined. Searching for QGIS executable is necessary.
2025-04-09 10:38:49||DEBUG||job_qgis_installation_finder||_get_qgis_versions_in_dir||240||Searching for QGIS binary in C:\OSGeo4W with pattern ['qgis-bin.exe', 'qgis-ltr-bin.exe']
2025-04-09 10:38:49||DEBUG||job_qgis_installation_finder||_get_qgis_versions_in_dir||240||Searching for QGIS binary in C:\Program Files\QGIS 3.40.4 with pattern ['qgis-bin.exe', 'qgis-ltr-bin.exe']
2025-04-09 10:38:51||DEBUG||job_qgis_installation_finder||_search_qgis_version_and_add_to_dict||328||QGIS version 3.40.4 found : C:\Program Files\QGIS 3.40.4\bin\qgis-ltr-bin.exe
2025-04-09 10:38:51||DEBUG||job_qgis_installation_finder||get_installed_qgis_path||156||Found installed QGIS: {'3.40.4': 'C:\\Program Files\\QGIS 3.40.4\\bin\\qgis-ltr-bin.exe'}
2025-04-09 10:38:51||DEBUG||job_qgis_installation_finder||run||103||qgis-installation-finder : QDT_QGIS_EXE_PATH is now C:\Program Files\QGIS 3.40.4\bin\qgis-ltr-bin.exe
2025-04-09 10:38:51||DEBUG||job_qgis_installation_finder||run||112||Job qgis-installation-finder ran successfully.
2025-04-09 10:38:51||INFO||deployment||run||219||Running step: qprofiles-downloader
2025-04-09 10:38:51||DEBUG||constants||from_opersys||255||Getting configuration for current operating system: win32
2025-04-09 10:38:51||DEBUG||constants||get_qdt_working_directory||134||QDT working folder - Using default path: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:51||DEBUG||generic_job||__init__||68||QDT working folder: C:\Users\ddallery\.cache\qgis-deployment-toolbelt
2025-04-09 10:38:51||DEBUG||generic_job||__init__||83||Installed QGIS profiles folder: C:\Users\ddallery\AppData\Roaming\QGIS\QGIS3\profiles
2025-04-09 10:38:51||DEBUG||job_profiles_downloader||__init__||78||Local repositories folder: C:\Users\ddallery\.cache\qgis-deployment-toolbelt\repositories\scenario-affaires-scolaires
2025-04-09 10:38:51||INFO||profiles_handler_base||is_valid_git_repository||122||Using source repository set at object's level: https://gitlab.in.villeneuvedascq.fr/qgis-public/profils-qgis.git
2025-04-09 10:38:51||DEBUG||profiles_handler_base||is_valid_git_repository||157||https://gitlab.in.villeneuvedascq.fr/qgis-public/profils-qgis.git is a valid git_remote repository.
2025-04-09 10:38:51||DEBUG||profiles_handler_base||is_valid_git_repository||157||https://gitlab.in.villeneuvedascq.fr/qgis-public/profils-qgis.git is a valid git_remote repository.
2025-04-09 10:38:51||DEBUG||profiles_handler_base||is_valid_git_repository||157||https://gitlab.in.villeneuvedascq.fr/qgis-public/profils-qgis.git is a valid git_remote repository.
2025-04-09 10:38:51||DEBUG||connectionpool||_new_conn||1049||Starting new HTTPS connection (1): gitlab.in.villeneuvedascq.fr:443
2025-04-09 10:38:51||DEBUG||retry||increment||521||Incremented Retry for (url='/qgis-public/profils-qgis.git/info/refs?service=git-upload-pack'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
2025-04-09 10:38:51||WARNING||connectionpool||urlopen||868||Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)'))': /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack
2025-04-09 10:38:51||DEBUG||connectionpool||_new_conn||1049||Starting new HTTPS connection (2): gitlab.in.villeneuvedascq.fr:443
2025-04-09 10:38:51||DEBUG||retry||increment||521||Incremented Retry for (url='/qgis-public/profils-qgis.git/info/refs?service=git-upload-pack'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
2025-04-09 10:38:51||WARNING||connectionpool||urlopen||868||Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)'))': /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack
2025-04-09 10:38:51||DEBUG||connectionpool||_new_conn||1049||Starting new HTTPS connection (3): gitlab.in.villeneuvedascq.fr:443
2025-04-09 10:38:51||DEBUG||retry||increment||521||Incremented Retry for (url='/qgis-public/profils-qgis.git/info/refs?service=git-upload-pack'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
2025-04-09 10:38:51||WARNING||connectionpool||urlopen||868||Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)'))': /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack
2025-04-09 10:38:51||DEBUG||connectionpool||_new_conn||1049||Starting new HTTPS connection (4): gitlab.in.villeneuvedascq.fr:443
2025-04-09 10:38:51||ERROR||bouncer||exit_cli_error||43||HTTPSConnectionPool(host='gitlab.in.villeneuvedascq.fr', port=443): Max retries exceeded with url: /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)')))
Traceback (most recent call last):
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\util\ssl_.py", line 438, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data)
ssl.SSLError: [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 787, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 488, in _make_request
    raise new_e
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 464, in _make_request
    self._validate_conn(conn)
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 1093, in _validate_conn
    conn.connect()
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connection.py", line 741, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connection.py", line 920, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\util\ssl_.py", line 440, in ssl_wrap_socket
    raise SSLError(e) from e
urllib3.exceptions.SSLError: [X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\dulwich\client.py", line 2828, in _http_request
    resp = self.pool_manager.request(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\_request_methods.py", line 135, in request
    return self.request_encode_url(
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\_request_methods.py", line 182, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\poolmanager.py", line 443, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\connectionpool.py", line 841, in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\urllib3\util\retry.py", line 519, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='gitlab.in.villeneuvedascq.fr', port=443): Max retries exceeded with url: /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)')))

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\commands\deployment.py", line 224, in run
    job.run()
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\jobs\job_profiles_downloader.py", line 97, in run
    downloader = RemoteGitHandler(
                 ^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\profiles\remote_git_handler.py", line 67, in __init__
    if not self.is_branch_existing_in_repository(branch_name=branch_to_use):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\profiles\profiles_handler_base.py", line 302, in is_branch_existing_in_repository
    for branch in self.list_remote_branches(
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\utils\proxies.py", line 191, in wrapper
    result = func(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\qgis_deployment_toolbelt\profiles\profiles_handler_base.py", line 341, in list_remote_branches
    ls_remote_refs: dict = porcelain.ls_remote(
                           ^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\dulwich\porcelain.py", line 1801, in ls_remote
    return client.get_refs(host_path)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\dulwich\client.py", line 2737, in get_refs
    refs, _, _, _, peeled = self._discover_references(
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\dulwich\client.py", line 2432, in _discover_references
    resp, read = self._http_request(url, headers)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\9_qgis_profiles\.venv\Lib\site-packages\dulwich\client.py", line 2836, in _http_request
    raise GitProtocolError(str(e)) from e
dulwich.errors.GitProtocolError: HTTPSConnectionPool(host='gitlab.in.villeneuvedascq.fr', port=443): Max retries exceeded with url: /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)')))
2025-04-09 10:38:51||ERROR||bouncer||exit_cli_error||44||Please, read the full detailed log: C:\Users\ddallery\.cache\qgis-deployment-toolbelt\logs\QGISDeploymentToolbelt_0.36.3.log
HTTPSConnectionPool(host='gitlab.in.villeneuvedascq.fr', port=443): Max retries exceeded with url: /qgis-public/profils-qgis.git/info/refs?service=git-upload-pack (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4096)')))

[jmkerloch]

It seems it can comes from dulwich libraries, used to clone git repository.

I think it's not using environement variable REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE.

@Dallery could you try by settings environment variables used by SSL : https://docs.openssl.org/master/man3/SSL_CTX_load_verify_locations/#synopsis ?

You should try SSL_CERT_FILE and SSL_CERT_DIR.

[Dallery]

Hi,

I tried your recommendation, but the error is the same.

Moreover, i use uv to manage my env, so i add --native-tls to install my packages, but if i set $env:SSL_CERT_DIR="D:\9_qgis_profiles\" and $env:SSL_CERT_FILE="D:\9_qgis_profiles\gitlab-in-villeneuvedascq-fr.pem", i can't use my env anymore because i get this error :

 uv add qgis-deployment-toolbelt --native-tls
⠴ 9-qgis-profiles==0.1.0
  error: Failed to fetch: `https://pypi.org/simple/pip-system-certs/`
  Caused by: Request failed after 3 retries
  Caused by: error sending request for url (https://pypi.org/simple/pip-system-certs/)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer

So, without these parameters, it must be possible to reach my enterprise gitlab, we don't understand why we can't.

Without set SSL_CERT_FILE and SSL_CERT_FILE, i can do this :

git clone https://gitlab.in.villeneuvedascq.fr/qgis-public/profils-qgis.git
Cloning into 'profils-qgis'...
remote: Enumerating objects: 20, done.
remote: Total 20 (delta 0), reused 0 (delta 0), pack-reused 20 (from 1)
Receiving objects: 100% (20/20), 176.29 KiB | 25.18 MiB/s, done.
Resolving deltas: 100% (2/2), done.

I use the 0.37.1 version.

Did you have another idea ?

[Guts]

Hi @Dallery,

It sounds like an upstream issue in urllib3 used by dulwich: https://github.com/jelmer/dulwich/issues/1025. To be sure, are you able to git fetch/clone (I mean directly using git CLI), your repository without any additional configuration or did you customize your git config?

As workaround, you can use the workflow for private repositories: https://qgis-deployment.github.io/qgis-deployment-toolbelt-cli/guides/howto_manage_private_git.html i.e. automatically cloning your repository on a local network drive and make QDT point to it instead of your gitlab instance.

[Guts]

Hi @Dallery,

Any feedback here before closing?

[Dallery]

Hi,

I haven't tried your solution yet because I want to use my GitLab, but I will soon. I also haven’t checked if a new release has come out — maybe try again with that.

I’ll let you know if I still get an error with Dulwich. If I do, you can close the issue, since it’s not because of you.

Thanks