devstack

Installing pip fails on RHEL 7.4 with SSL error

Bug #1741097 reported by Jim Rollenhagen on 2018-01-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	devstack	Invalid	Undecided	Jim Rollenhagen

Bug Description

RHEL 7 curl does not support TLS > 1.0 by default, per this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339

And it seems bootstrap.pypa.io only supports TLS 1.2: https://www.ssllabs.com/ssltest/analyze.html?d=bootstrap.pypa.io&s=151.101.192.175

Passing --tlsv1 to curl here will force curl to speak any TLS 1.x version.

Logs from devstack:

2018-01-03 18:01:49.425 | + tools/install_pip.sh:install_get_pip:87 : curl -f --retry 6 --retry-delay 5 -o /opt/stack/devstack/files/get-pip.py https://bootstrap.pypa.io/get-pip.py
2018-01-03 18:01:49.430 | % Total % Received % Xferd Average Speed Time Time Time Current
2018-01-03 18:01:49.430 | Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
2018-01-03 18:01:49.700 | curl: (35) Peer reports incompatible or unsupported protocol version.

and further tests:

$ curl -I -v https://bootstrap.pypa.io/get-pip.py
* About to connect() to bootstrap.pypa.io port 443 (#0)
* Trying 151.101.44.175...
* Connected to bootstrap.pypa.io (151.101.44.175) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190 (SSL_ERROR_PROTOCOL_VERSION_ALERT)
* Peer reports incompatible or unsupported protocol version.
* Closing connection 0
curl: (35) Peer reports incompatible or unsupported protocol version.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

See original description

Jim Rollenhagen (jim-rollenhagen) on 2018-01-03

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-03: Fix proposed to devstack (master)

Fix proposed to branch: master
Review: https://review.openstack.org/530991

Changed in devstack:
assignee:	nobody → Jim Rollenhagen (jim-rollenhagen)
status:	New → In Progress

Jim Rollenhagen (jim-rollenhagen) on 2018-01-03

summary:

- Installing pip fails on RHEL 7.1 with SSL error
+ Installing pip fails on RHEL 7.4 with SSL error

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2018-03-19:

According to a comment in the review, this may be solved with current packages, please confirm whether the issue still exists.

Changed in devstack:
status:	In Progress → Incomplete

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-19: Change abandoned on devstack (master)

Change abandoned by Jim Rollenhagen (<email address hidden>) on branch: master
Review: https://review.openstack.org/530991
Reason: Looks like latest packages work, thanks.

Revision history for this message

Jim Rollenhagen (jim-rollenhagen) wrote on 2018-03-19:

Yep, looks like this can be closed.

Changed in devstack:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.