Python 3.5 setup fails with an invalid certificate when running pip

[andy-maier]

Description:

Python 3.5 setup fails with an invalid certificate when running pip.

This started happening a few days ago. 7 days ago it still worked.

From a today's run where it failed: https://github.com/zhmcclient/zhmc-ansible-modules/actions/runs/9076784995/job/24940262974

Run actions/setup-python@v5
  with:
    python-version: 3.5
    check-latest: false
    token: ***
    update-environment: true
    allow-prereleases: false
  env:
    PIP_DISABLE_PIP_VERSION_CHECK: 1
    PIP_NO_PYTHON_VERSION_WARNING: 1
Installed versions
  Version 3.5 was not found in the local cache
  Version 3.5 is available for downloading
  Download from "https://github.com/actions/python-versions/releases/download/3.5.10-90026/python-3.5.10-linux-20.04-x64.tar.gz"
  Extract downloaded archive
  /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/bbd73505-bdd7-43f6-9be8-ea09e3ed6949 -f /home/runner/work/_temp/20ce11ed-ebf4-4b07-b07d-6c43d465aa62
  Execute installation script
  Check if Python hostedtoolcache folder exist...
  Create Python 3.5.10 folder
  Copy Python binaries to hostedtoolcache folder
  Create additional symlinks (Required for the UsePythonVersion Azure Pipelines task and the setup-python GitHub Action)
  Upgrading PIP...
  Requirement already satisfied: setuptools in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Requirement already satisfied: pip in /opt/hostedtoolcache/Python/3.5.10/x64/lib/python3.5/site-packages
  Collecting pip
  Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:728) - skipping
  Error: Could not find a version that satisfies the requirement pip (from versions: )
  Error: No matching distribution found for pip
  Error: The process '/usr/bin/bash' failed with exit code 1

Action version:

v5

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

Python 3.5

Repro steps:

To reproduce, use the setup-python action with Python 3.5.

Expected behavior:

Python 3.5 should be installed as it was 1 week ago.

Actual behavior:

See description, above.

[joamag]

I'm also able to reproduce this behavior in a self-hosted environment.

[joamag]

@andy-maier I believe you can use this "temporary fix" (using PIP_TRUSTED_HOST env variable) to bump pip and avoid this error

  - uses: actions/setup-python@v5
    with:
      python-version: 3.5
    env:
      PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"

Found it here https://stackoverflow.com/questions/25981703/pip-install-fails-with-connection-error-ssl-certificate-verify-failed-certi

[aparnajyothi-y]

Hello @andy-maier, Thank you for creating this issue and we will look into it :)

[dirkf]

The Python 3.4.4 Windows MSI installation is also affected and also responds to the PIP_TRUSTED_HOST work-around. This is minimally documented at https://pip.pypa.io/en/latest/cli/pip/:

--trusted-host <hostname>

    Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS.

    (environment variable: PIP_TRUSTED_HOST)

Presumably pypi.org has reconfigured its servers with some new web-breaking security option so that older SSL implementations can't verify its certificate? If so the "temporary" work-around may be wrongly described.

[andy-maier]

@joamag
Hello João. Thank you very much for this workaround!!
I can confirm that it works for us.