rattler-build icon indicating copy to clipboard operation
rattler-build copied to clipboard
verified publisher icon prefix-dev

Build from private conda-forge mirror failing since v0.30.0

Open chaumage opened this issue 1 year ago • 9 comments

I'm using rattler-build to package pure python libraries on a windows machine, with a private conda-forge mirror and no access to any other package index. My command looks like:

rattler-build build --recipe ./recipe/recipe.yaml -c https://host/repository/py-conda-forge --output-dir ../build/

It worked perfectly until i updated to the latest version. I tried all recent versions, I get the following error since version 0.30.0 (included):

Error:
  × Failed to resolve dependencies: Request failed after 3 retries
  ├─▶ Request failed after 3 retries
  ├─▶ error sending request for url (https://host/repository/py-conda-forge/win-64/repodata_shards.msgpack.zst)
  ├─▶ client error (Connect)
  ╰─▶ invalid peer certificate: UnknownIssuer

chaumage avatar Jan 06 '25 10:01 chaumage

Does the URL have a valid HTTPS certificate? Is there a difference with the URL indicated, and one that (probably) works like https://host/repository/py-conda-forge/win-64/repodata.json?

wolfv avatar Jan 06 '25 12:01 wolfv

Ie. could you share what curl-ing those two URLs returns?

wolfv avatar Jan 06 '25 12:01 wolfv

Not sure I understand all the technicalities here, but curl-ing those urls returns a 404 error. I think the urls have no valid HTTPS certificate, when using pixi I have to set tls-no-verify = true.

chaumage avatar Jan 06 '25 13:01 chaumage

Do you need to use -k or --insecure when using curl?

wolfv avatar Jan 06 '25 13:01 wolfv

Sorry I mistyped the command, now curl https://host/repository/py-conda-forge/ returns the list of all available packages, and no need for -k or --insecure

chaumage avatar Jan 06 '25 13:01 chaumage

I run into the same problem with our internal channel that needs self-signed certificate. I have narrowed down the change to this commit https://github.com/prefix-dev/rattler-build/pull/1033/commits/18a8da49a9b513525d7c220caa3cd0dc85f549ad. There is no explanation on why we changed from native-tls to rustls-tls (doesn't feel like related to using mold which is the purpose of that pull request). I tried changing it back to native-tls and it worked. Could we change it back or provide a solution around this problem (e.g. option to disable ssl verification)? This is a blocking issue because I don't know a way around it, we basically cannot build windows package with rattler-build. Thanks.

wenjuno avatar Jan 24 '25 02:01 wenjuno

Also running into the same issue, would be great to get this fixed.

mfrg avatar Feb 20 '25 21:02 mfrg

@pavelzw do you know if we need any additional features on rustls-tls to use the native certificates?

wolfv avatar May 03 '25 07:05 wolfv

Also having this issue on Windows. Any way to override which certificate store/chain is used?

danx12 avatar Oct 27 '25 14:10 danx12