https://pantsbuild.org/ logo
Join Slack
Powered by
Hi guys, I am using pants behind a firewall and `...
# general
b
Hi guys, I am using pants behind a firewall and 
./pants package
fails with following error:
Copy code
15:55:08.93 [ERROR] 1 Exception encountered:

  Exception: Error downloading file: error sending request for url (<https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Is there a proxy setting that can be configured in Pants?
e
b
I have added below: 
[subprocess-environment]
env_vars.add = ["http_proxy=<http://myproxy>", "https_proxy"]
But it doesnโ€™t work. The error remains. According to the page, it should take the values from the current shell environment if no values are mentioned.
h
is 
echo $https_proxy
defined in your shell? Note that sometimes it is all caps
b
Yes, it is. And yes, I have both uppercase and lowercase defined in my shell and used both of them in 
pants.toml
The error seems more like some certificate error rather a proxy error. Trying to figure out the certi settings.
h
I wonder if the section above on 
ca_certs_path
may be relevant?
e
Stepping away from Pants, does 
curl -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>
work?
Yeah, Eric is right. The wonder should be more strong since "connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer"
๐Ÿ‘ 2
b
The curl failed with:
Copy code
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:20 --:--:--     0curl: (56) Proxy CONNECT aborted
e
Ok, getting 
curl --cacert ...
working 1st may provide a quicker feedback loop.
Then that setting, once working, should also work for Pants.
b
Can I have the file downloaded (somehow) and keep it with my source or wherever and use it from there every time I execute a goal?
e
You can, but this will get painful fast. There are many, many more files Pants will try to download.
If you can get your proxy configured and working, that should solve them all in one effort.
b
It will get difficult even if I stick to the same version?
e
Yes. Typically you have 100s of dependencies.
Taking a step back, how do you configure you current tooling that needs artifacts from the internet?
b
We onboard and host the artifacts internally.
e
Ok, so then it sounds like the proxy thing is a non-starter anyway. Is that right? In other words, no other build tool you have actually uses the proxy?
If so, then downloading the Pex PEX and configuring 
[python-repos] indexes / repos
to your internal artifact repository should cover most things. See here for more detail on everything needed: https://github.com/pantsbuild/pants/issues/16328
b
I think so, but I am surprised how Pants bootstrapped in the first place:
Copy code
Downloading the Pex PEX.
SHA256 fingerprint of <https://github.com/pantsbuild/pex/releases/download/v2.1.62/pex> verified.
e
So it seems like curl works sometimes in your environment. I.E.: it can pick up the proxy in some cases?
b
It seems so. I am not very much aware of how things are working.
e
Ok. Well, the pants script I just linked uses --location (-L) which says follow re-directs.
I did not explicitly say for you to do that in your test earlier, probably that is the difference.
So, does 
curl -L -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>
work then?
It really should if Pants bootstrapped.
b
e
Yeah, you could look at where your browser has its certs configured. Presumably there is some internal documentation about this.
b
Yup
Thanks a lot.
e
Copy code
$ curl -vvv -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex> 2>&1 | grep CAfile
*  CAfile: /etc/ssl/certs/ca-certificates.crt
That shows me what my curl uses.
๐Ÿ‘ 1
b
Added the certs path to 
pants.toml
and package worked.
โค๏ธ 1
๐Ÿ’ฏ 1
e
Excellent.
๐Ÿ‘ 1
10 Views
Open in Slack
PreviousNext
Powered by