poetry icon indicating copy to clipboard operation
poetry copied to clipboard
verified publisher icon python-poetry

Certificates configuration to install packages with git+https from a company-hosted github/gitlab

Open delchiaro opened this issue 1 year ago • 2 comments

Issue Kind

Improving documentation

Existing Link

https://python-poetry.org/docs/configuration/#certificatesnamecert

Description

I struggled several time trying to install python packages from git repository hosted on private company github or gitlab servers.

Specifically, with pip I can simply install a self-hosted gitlab repo with:

pip install git+https://mycompany.gitlab.com/org/myrepo.git

And to avoid SSL errors in the HTTPS connection, in the worst case I would just have to set the correct certificates bundle with:

export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/mycompany_root_cert.crt
pip install git+https://mycompany.gitlab.com/org/myrepo.git

Sadly this does not work with poetry, because by default is relying on system git to pull the repo (not on a python tool based on requests library).

This is very subtle and the documentation is not clear, and cannot find anything mentioning this in the documentation related to configuration of certificates or repository certificates

The only way I found to fix this is setting the correct certificate to the global git configuration with the following before using poetry:

git config --global http.sslCAInfo /usr/local/share/ca-certificates/mycompany_root_cert.crt
poetry add git+https://mycompany.gitlab.com/org/myrepo.git

This is very similar to #2475 and related issues, with the difference that the github/gitlab is a company one (so using different certificate), moreover #5428 + setting REQUESTS_CA_BUNDLE is still a possible solution, i.e.:

poetry config experimental.system-git-client true
export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/mycompany_root_cert.crt
poetry add git+https://mycompany.gitlab.com/org/myrepo.git

I think at least one of the two solution should be added to the documentation.

delchiaro avatar Sep 27 '24 15:09 delchiaro

because by default is relying on system git to pull the repo

this is backwards, in fact poetry config experimental.system-git-client true is what turns on the system git client

in general the best way to get docs improvements done is to contribute them yourself - but do be careful that you understand what you are writing!

dimbleby avatar Sep 27 '24 15:09 dimbleby

Thanks for your reply.

You are right, it's clear by the flag name that the behavior should be the opposite (half a day trying to solve this issue in different ways didn't help :D).

I'll double check next days what was going on and how to solve in an isolated environment and in reproducible way. If I get my mind clear enough, I'll try to contribute to the documentation myself.

delchiaro avatar Oct 03 '24 16:10 delchiaro