pypi-support
pypi-support copied to clipboard
Published
20 hours ago •
pypa
pypa
Unable to Fetch Files for (some) Packages on Pythonhosted.org
My Platform
System Details: Windows 11 Enterprise running on Enterprise Network Commands run inside Debian Docker container on the same host. Python 3.10.14
Network Details: Enterprise network with SSL decryption. Note that the error occurs in-browser and when directing pip to use the system truststore.
The problem occurs when downloading some .whl and .tar.gz files from pythonhosted.org, such as pip (as can be seen in the HTTP requests below). This issue has been encountered so far with pipenv, setuptools, virtualenv, and pip. Packages such as Pandas and Numpy work fine. The problem occurs in-browser (tested using the latest edge and firefox), with pip, and when using command line tools include curl and wget.
Fastly Debug
N/A
DNS Resolution
$ dig pypi.org A
; <<>> DiG 9.18.24-1-Debian <<>> pypi.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36944
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e403f936f105bb84 (echoed)
;; QUESTION SECTION:
;pypi.org. IN A
;; ANSWER SECTION:
pypi.org. 12024 IN A 151.101.128.223
pypi.org. 12024 IN A 151.101.192.223
pypi.org. 12024 IN A 151.101.0.223
pypi.org. 12024 IN A 151.101.64.223
;; Query time: 40 msec
;; SERVER: 192.168.65.7#53(192.168.65.7) (UDP)
;; WHEN: Fri Jul 26 18:16:52 UTC 2024
;; MSG SIZE rcvd: 145
$ dig pypi.org AAAA
; <<>> DiG 9.18.24-1-Debian <<>> pypi.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bdf0e83d80c52169 (echoed)
;; QUESTION SECTION:
;pypi.org. IN AAAA
;; AUTHORITY SECTION:
pypi.org. 900 IN SOA ns-1264.awsdns-30.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 159 msec
;; SERVER: 192.168.65.7#53(192.168.65.7) (UDP)
;; WHEN: Fri Jul 26 18:17:09 UTC 2024
;; MSG SIZE rcvd: 142
$ dig files.pythonhosted.org A
; <<>> DiG 9.18.24-1-Debian <<>> files.pythonhosted.org A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62868
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cc0791fb66f80ad1 (echoed)
;; QUESTION SECTION:
;files.pythonhosted.org. IN A
;; ANSWER SECTION:
files.pythonhosted.org. 12322 IN CNAME dualstack.python.map.fastly.net.
dualstack.python.map.fastly.net. 33 IN A 199.232.36.223
;; Query time: 99 msec
;; SERVER: 192.168.65.7#53(192.168.65.7) (UDP)
;; WHEN: Fri Jul 26 18:18:14 UTC 2024
;; MSG SIZE rcvd: 177
$ dig files.pythonhosted.org AAAA
; <<>> DiG 9.18.24-1-Debian <<>> files.pythonhosted.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38338
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 10ad741d3e9b7c45 (echoed)
;; QUESTION SECTION:
;files.pythonhosted.org. IN AAAA
;; ANSWER SECTION:
files.pythonhosted.org. 12310 IN CNAME dualstack.python.map.fastly.net.
;; Query time: 110 msec
;; SERVER: 192.168.65.7#53(192.168.65.7) (UDP)
;; WHEN: Fri Jul 26 18:18:26 UTC 2024
;; MSG SIZE rcvd: 130
Traceroutes / IPv4
$ traceroute pypi.org
1 172.17.0.1 (172.17.0.1) 1.424 ms 1.205 ms 1.198 ms
2 192.168.65.5 (192.168.65.5) 1.196 ms 1.050 ms 1.019 ms
3 * * *
...
30 * * *
$ traceroute files.pythonhosted.org
traceroute to pythonhosted.org (151.101.64.223), 30 hops max, 60 byte packets
1 172.17.0.1 (172.17.0.1) 1.071 ms 0.862 ms 0.847 ms
2 192.168.65.5 (192.168.65.5) 0.784 ms 0.583 ms 0.555 ms
3 * * *
...
30 * * *
Traceroutes / IPv6 (If available)
N/A
HTTPS Requests / IPv4
$ curl -vvv -I --ipv4 https://pypi.org/pypi/pip/json
* Trying 151.101.128.223:443...
* Connected to pypi.org (151.101.128.223) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=pypi.org
* start date: Apr 23 04:22:05 2024 GMT
* expire date: May 25 04:22:04 2025 GMT
* subjectAltName: host "pypi.org" matched cert's "pypi.org"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2
* SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: HEAD]
* h2h3 [:path: /pypi/pip/json]
* h2h3 [:scheme: https]
* h2h3 [:authority: pypi.org]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55b08bc7ece0)
> HEAD /pypi/pip/json HTTP/2
> Host: pypi.org
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200
HTTP/2 200
< content-type: application/json
content-type: application/json
< access-control-allow-origin: *
access-control-allow-origin: *
< access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
< access-control-allow-methods: GET
access-control-allow-methods: GET
< access-control-max-age: 86400
access-control-max-age: 86400
< access-control-expose-headers: X-PyPI-Last-Serial
access-control-expose-headers: X-PyPI-Last-Serial
< x-pypi-last-serial: 24022886
x-pypi-last-serial: 24022886
< cache-control: max-age=900, public
cache-control: max-age=900, public
< etag: "fHGil5WCGl3I2gJE5lb1+A"
etag: "fHGil5WCGl3I2gJE5lb1+A"
< content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ https://api.github.com/search/issues https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com fastly-insights.com *.fastly-insights.com *.ethicalads.io https://api.pwnedpasswords.com https://cdn.jsdelivr.net/npm/[email protected]/es5/sre/mathmaps/ https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self' https://checkout.stripe.com; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://pypi-camo.freetls.fastly.net/ https://*.google-analytics.com https://*.googletagmanager.com *.fastly-insights.com *.ethicalads.io ethicalads.blob.core.windows.net; script-src 'self' https://*.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com *.fastly-insights.com *.ethicalads.io 'sha256-U3hKDidudIaxBDEzwGJApJgPEf2mWk6cfMWghrAa6i0=' https://cdn.jsdelivr.net/npm/[email protected]/ 'sha256-1CldwzdEg2k1wTmf7s5RWVd7NMXI/7nxxjJM2C4DqII=' 'sha256-0POaN8stWYQxhzjKS+/eOfbbJ/u4YHO5ZagJvLpMypo='; style-src 'self' fonts.googleapis.com *.ethicalads.io 'sha256-2YHqZokjiizkHi1Zt+6ar0XJ0OeEy/egBnlm+MDMtrM=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-JLEjeN9e5dGsz5475WyRaoA4eQOdNPxDIeUhclnJDCE=' 'sha256-mQyxHEuwZJqpxCw3SLmc4YOySNKXunyu2Oiz1r3/wAE=' 'sha256-OCf+kv5Asiwp++8PIevKBYSgnNLNUZvxAp4a7wMLuKA=' 'sha256-h5LOiLhk6wiJrGsG5ItM0KimwzWQH/yAcmoJDJL//bY='; worker-src *.fastly-insights.com
content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ https://api.github.com/search/issues https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com fastly-insights.com *.fastly-insights.com *.ethicalads.io https://api.pwnedpasswords.com https://cdn.jsdelivr.net/npm/[email protected]/es5/sre/mathmaps/ https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self' https://checkout.stripe.com; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://pypi-camo.freetls.fastly.net/ https://*.google-analytics.com https://*.googletagmanager.com *.fastly-insights.com *.ethicalads.io ethicalads.blob.core.windows.net; script-src 'self' https://*.googletagmanager.com https://www.google-analytics.com https://ssl.google-analytics.com *.fastly-insights.com *.ethicalads.io 'sha256-U3hKDidudIaxBDEzwGJApJgPEf2mWk6cfMWghrAa6i0=' https://cdn.jsdelivr.net/npm/[email protected]/ 'sha256-1CldwzdEg2k1wTmf7s5RWVd7NMXI/7nxxjJM2C4DqII=' 'sha256-0POaN8stWYQxhzjKS+/eOfbbJ/u4YHO5ZagJvLpMypo='; style-src 'self' fonts.googleapis.com *.ethicalads.io 'sha256-2YHqZokjiizkHi1Zt+6ar0XJ0OeEy/egBnlm+MDMtrM=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-JLEjeN9e5dGsz5475WyRaoA4eQOdNPxDIeUhclnJDCE=' 'sha256-mQyxHEuwZJqpxCw3SLmc4YOySNKXunyu2Oiz1r3/wAE=' 'sha256-OCf+kv5Asiwp++8PIevKBYSgnNLNUZvxAp4a7wMLuKA=' 'sha256-h5LOiLhk6wiJrGsG5ItM0KimwzWQH/yAcmoJDJL//bY='; worker-src *.fastly-insights.com
< referrer-policy: origin-when-cross-origin
referrer-policy: origin-when-cross-origin
< accept-ranges: bytes
accept-ranges: bytes
< date: Fri, 26 Jul 2024 18:23:07 GMT
date: Fri, 26 Jul 2024 18:23:07 GMT
< x-served-by: cache-iad-kjyo7100068-IAD
x-served-by: cache-iad-kjyo7100068-IAD
< x-cache: HIT
x-cache: HIT
< x-cache-hits: 3
x-cache-hits: 3
< x-timer: S1722018187.201367,VS0,VE0
x-timer: S1722018187.201367,VS0,VE0
< vary: Accept-Encoding
vary: Accept-Encoding
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< permissions-policy: publickey-credentials-create=(self),publickey-credentials-get=(self),accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),local-fonts=(),magnetometer=(),microphone=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),speaker-selection=(),storage-access=(),usb=(),web-share=(),xr-spatial-tracking=()
permissions-policy: publickey-credentials-create=(self),publickey-credentials-get=(self),accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),hid=(),identity-credentials-get=(),idle-detection=(),local-fonts=(),magnetometer=(),microphone=(),midi=(),otp-credentials=(),payment=(),picture-in-picture=(),screen-wake-lock=(),serial=(),speaker-selection=(),storage-access=(),usb=(),web-share=(),xr-spatial-tracking=()
< content-length: 189015
content-length: 189015
<
* Connection #0 to host pypi.org left intact
$ curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
curl -vvv --ipv6 https://files.pythonhosted.org/packages/b1/f9/377158dbac2a0ebe7b7441303252964ce13a607ee34068b52d1dae814b8b/pipenv-2024.0.1-py3-none-any.whl -o out.whl
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (7) Couldn't connect to server
root@f7ebe285629a:/# curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
* Trying 199.232.36.223:443...
* Connected to files.pythonhosted.org (199.232.36.223) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: CN=*.pythonhosted.org
* start date: Jul 23 22:32:03 2024 GMT
* expire date: Aug 6 22:32:03 2024 GMT
* subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
* issuer: C=US; L=Washington; ST=DC; O=U.S. Department of Homeland Security; OU=Certification Authorities; CN=DHS HQ Zscaler CA (t)
* SSL certificate verify ok.
* using HTTP/1.x
> HEAD /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz HTTP/1.1
> Host: files.pythonhosted.org
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Connection: close
Connection: close
< Content-Length: 1246072
Content-Length: 1246072
< Server: nginx
Server: nginx
< Content-Type: binary/octet-stream
Content-Type: binary/octet-stream
< Last-Modified: Tue, 11 Apr 2023 02:19:03 GMT
Last-Modified: Tue, 11 Apr 2023 02:19:03 GMT
< ETag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
ETag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
< x-amz-meta-btime: 2020-02-26T17:47:37.438Z
x-amz-meta-btime: 2020-02-26T17:47:37.438Z
< x-amz-meta-mtime: 1582739257.438
x-amz-meta-mtime: 1582739257.438
< x-amz-request-id: a2c6f28b96eccafb
x-amz-request-id: a2c6f28b96eccafb
< x-amz-id-2: aNyxjJDEtNnBmODHSMCRkMmboY2AwYThS
x-amz-id-2: aNyxjJDEtNnBmODHSMCRkMmboY2AwYThS
< x-amz-version-id: 4_z179c51e67f11a0ad8f6c0018_f1191cd4ff993bd3d_d20230411_m021903_c005_v0501003_t0041_u01681179543316
x-amz-version-id: 4_z179c51e67f11a0ad8f6c0018_f1191cd4ff993bd3d_d20230411_m021903_c005_v0501003_t0041_u01681179543316
< Cache-Control: max-age=365000000, immutable, public
Cache-Control: max-age=365000000, immutable, public
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Age: 890404
Age: 890404
< Date: Fri, 26 Jul 2024 18:25:04 GMT
Date: Fri, 26 Jul 2024 18:25:04 GMT
< X-Served-By: cache-iad-kcgs7200149-IAD, cache-lga21954-LGA
X-Served-By: cache-iad-kcgs7200149-IAD, cache-lga21954-LGA
< X-Cache: HIT, MISS
X-Cache: HIT, MISS
< X-Cache-Hits: 108, 0
X-Cache-Hits: 108, 0
< X-Timer: S1722018305.742821,VS0,VE21
X-Timer: S1722018305.742821,VS0,VE21
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Frame-Options: deny
X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: none
X-Permitted-Cross-Domain-Policies: none
< X-Robots-Header: noindex
X-Robots-Header: noindex
< x-pypi-file-python-version: source
x-pypi-file-python-version: source
< x-pypi-file-version: 10.0.1
x-pypi-file-version: 10.0.1
< x-pypi-file-package-type: sdist
x-pypi-file-package-type: sdist
< x-pypi-file-project: pip
x-pypi-file-project: pip
<
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
HTTPS Requests / IPv6 (If available)
N/A
TLS Debug / IPv4
Omitted for security reasons.
TLS Debug / IPv6 (If available)
N/A
Code of Conduct
- [X] I agree to follow the PSF Code of Conduct
