Fix certificate error for IERS data download on Windows #10434
Conversation
|
It seems that accessing URLs in travis is not always stable and sometimes times out. Other than that the amount of tests working in travis is increased. In the Windows test even the ftp test for downloading the IERS dataset works (XPASS), weirdly it still fails on Linux. |
|
Yes, they are flaky. And the more jobs try to access them concurrently, the flakier they get as some servers try to block them from spamming. Not sure what we can do about it. |
|
I don't really feel competent to review this, but am unclear about one thing: where should this belong in our dependencies? Since IERS files are required for quite a bit of essential use of astropy, is |
|
@mhvk This is specifically to Windows, the travis test case on Windows also exhibits this behaviou, but it's not specific to travis. To get the CA certificates in urllib/Python for Windows: I've lost the original issue on bugs.python.org where this was discussed in more detail, but the answer on this https://bugs.python.org/issue36011 confirms the problem with the certificate storage on Windows and ways to solve it. I'm happy to iterate on adding documentation to install/changelog as needed. |
|
OK, so on Windows |
|
With the current version of the PR, this makes |
|
In the current approach I deliberately included it for Linux and Windows as otherwise it would require to write OS specific codepaths later and is not really elegant nor readable. On Linux the system-installed certifi package (at least on Fedora & Gentoo) actually points to the system CA certificates. Although in a virtualenv it points tho the locally installed CA certificates. |
This comment has been minimized.
This comment has been minimized.
|
Just so we have something we can compare against, I did a remote data run on Windows over at #10448 . Its log does show EDIT: To be more specific... This one is actually from astropy.readthedocs.io : |
There was a problem hiding this comment.
Here's my plan:
- Cherry-pick the relevant fix to EXP: Testing on Windows with remote data #10448 to convince myself that this really works.
- See if there is a way to only require
certififor Windows and not other OS.
Todo for this PR:
- Address existing review comments.
- Add text to
docs/install.rst - Remove remote data Windows job from PR CI. Instead create one as cron job.
- Add text to
- Wait for next steps based on my investigation above.
How does this sound? Thanks!
|
I'll ponder the need for change log and milestone later. Given that this is a bug, it can be backported but then again, it's been there forever and our Windows user base is rather small. 🤷 UPDATE: I decided against backport due to introduction of new dependency for Windows. |
|
So, reporting back on my work at #10448 that is built upon the fix here:
What do y'all think? |
|
@pllim I fully agree that for now the fix is only necessary on Windows and also not always. I will implement the fix to target only Windows OS via the requirements specification in As this is a annoying road block for new users (which with a entry in a FAQ etc can be resolved quickly), I would rather opt to default a possible configuration option to I made this patch primarily not to fix tests or anything but to make it easier to get started on Windows (no error on the first run) for new users. |
|
Thanks for your inputs, @noc0lour ! Looking forward to your next commit(s). |
noc0lour
force-pushed
the
fix_certificate_error_windows
branch
2 times, most recently
from
e0e2053 to
9833363
Compare
|
Implemented the |
There was a problem hiding this comment.
Thank you very much for following up and your continued patience! I think about this a bit more and...
- I am still not convinced that requiring it for Windows blindly is the best way forward, especially given the note about multiprocessing and the note about OpenSSL. The problem this PR is trying to solve does not seem to affect a lot of people, but the fix affects all Windows users going forward. As you have mentioned, a FAQ might be sufficient for beginner users even if this fix is not the default behavior? I still think that making it a non-default configurable item the safest route, as that won't change any existing behavior at all. Would be nice to have more opinions about this.
- Depending on the decision above, the change log would be under API change or new feature, but regardless, I have set the milestone.
- Additional text about
certifineeds to be indocs/install.rst. - Some tests will fail for this new cron job unless their fixes are copied over from EXP: Testing on Windows with remote data #10448 for
astropy/coordinates/tests/test_solar_system.pyanddocs/coordinates/spectralcoord.rst.
|
I wasn't the best reviewer for this PR, resulting in it getting stale. I do think we need to find a way forward with this one way or another. @embray , any ideas? |
|
@pllim at least from my side I just did not have the time (yet) to follow up with a distinct implementation to put things into configuration etc. Current state could be used by anyone interested to implement the configuration to go into the implemented codepath. |
|
@embray , any chance we can wrap this up before end of April 2021? |
|
@pllim will do! |
embray
force-pushed
the
fix_certificate_error_windows
branch
from
909eb2b to
892afe3
Compare
|
Somehow an unrelated commit got in here when I rebased... |
Initialize a SSL context with the CA file taken from certifi which collects the Mozilla CA certificates.
this is consistent with how the 'requests' package handles root CA certificates: https://requests.readthedocs.io/en/master/user/advanced/#ca-certificates
…ly when installed but is not required adds an option allow_insecure to allow downloads over unverified SSL connections to succeed with a warning, as well as an ssl_context argument which allows additional optional settings for configuring SSL connections
timeout to 5 seconds however, when it does fail it appears to be raising a URLError, not socket.timeout
automatically re-tried with allow_insecure=True
embray
force-pushed
the
fix_certificate_error_windows
branch
from
a84237c to
d77bf02
Compare
|
Ok. Everything should be fixed now. @pllim I addressed all your comments. Also fixed the changelog entry to the new format. |
|
Bleh, there are some test failures because I changed a |
allow_insecure=True.
embray
force-pushed
the
fix_certificate_error_windows
branch
from
d77bf02 to
3feff1f
Compare
| @@ -1723,7 +1745,7 @@ def info(self): | |||
| def read(self, length=None): | |||
| return self.reader.read(length) | |||
|
|
|||
| monkeypatch.setattr(urllib.request, "build_opener", mockurl_builder) | |||
| monkeypatch.setattr(astropy.utils.data, "_build_urlopener", mockurl_builder) | |||
There was a problem hiding this comment.
I remember seeing monkeypatching of astropy.utils.data over at astroquery, so this is a heads up to astroquery people: @keflavich , @bsipocz , @ceb8
|
Thank you 🙏 |
|
For future reference, this broke |
Across different machines Windows often has intermittent problems of fetching data from datacenter.iers.org due to the CA certificate missing on Windows. (visiting the webpage via internet explorer will temporarily fetch the certificate, but that's rather clumsy and unreliable).
Description
Use certifi certificate store for reliable CA root certificate fetching on all platforms.
Fixes #9640
Close #10448