Installing pip fails on RHEL 7.4 with SSL error

Bug #1741097 reported by Jim Rollenhagen on 2018-01-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Undecided
Jim Rollenhagen

Bug Description

RHEL 7 curl does not support TLS > 1.0 by default, per this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339

And it seems bootstrap.pypa.io only supports TLS 1.2: https://www.ssllabs.com/ssltest/analyze.html?d=bootstrap.pypa.io&s=151.101.192.175

Passing --tlsv1 to curl here will force curl to speak any TLS 1.x version.

Logs from devstack:

2018-01-03 18:01:49.425 | + tools/install_pip.sh:install_get_pip:87 : curl -f --retry 6 --retry-delay 5 -o /opt/stack/devstack/files/get-pip.py https://bootstrap.pypa.io/get-pip.py
2018-01-03 18:01:49.430 | % Total % Received % Xferd Average Speed Time Time Time Current
2018-01-03 18:01:49.430 | Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2018-01-03 18:01:49.700 | curl: (35) Peer reports incompatible or unsupported protocol version.

and further tests:

$ curl -I -v https://bootstrap.pypa.io/get-pip.py
* About to connect() to bootstrap.pypa.io port 443 (#0)
* Trying 151.101.44.175...
* Connected to bootstrap.pypa.io (151.101.44.175) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Closing connection 0
curl: (35) Peer reports incompatible or unsupported protocol version.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/530991

Changed in devstack:
assignee: nobody → Jim Rollenhagen (jim-rollenhagen)
status: New → In Progress
summary: - Installing pip fails on RHEL 7.1 with SSL error
+ Installing pip fails on RHEL 7.4 with SSL error
Dr. Jens Harbott (j-harbott) wrote :

According to a comment in the review, this may be solved with current packages, please confirm whether the issue still exists.

Changed in devstack:
status: In Progress → Incomplete

Change abandoned by Jim Rollenhagen (<email address hidden>) on branch: master
Review: https://review.openstack.org/530991
Reason: Looks like latest packages work, thanks.

Yep, looks like this can be closed.

Changed in devstack:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers