https://pantsbuild.org/ logo
#general
Title
# general
b

bored-glass-58755

08/22/2022, 10:40 PM
Hi guys, I am using pants behind a firewall and
./pants package
fails with following error:
Copy code
15:55:08.93 [ERROR] 1 Exception encountered:

  Exception: Error downloading file: error sending request for url (<https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
Is there a proxy setting that can be configured in Pants?
e

enough-analyst-54434

08/22/2022, 10:42 PM
b

bored-glass-58755

08/22/2022, 10:57 PM
I have added below:
[subprocess-environment]
env_vars.add = ["http_proxy=<http://myproxy>", "https_proxy"]
But it doesnโ€™t work. The error remains. According to the page, it should take the values from the current shell environment if no values are mentioned.
h

hundreds-father-404

08/22/2022, 10:58 PM
is
echo $https_proxy
defined in your shell? Note that sometimes it is all caps
b

bored-glass-58755

08/22/2022, 11:00 PM
Yes, it is. And yes, I have both uppercase and lowercase defined in my shell and used both of them in
pants.toml
The error seems more like some certificate error rather a proxy error. Trying to figure out the certi settings.
h

hundreds-father-404

08/22/2022, 11:01 PM
I wonder if the section above on
ca_certs_path
may be relevant?
e

enough-analyst-54434

08/22/2022, 11:04 PM
Stepping away from Pants, does
curl -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>
work?
Yeah, Eric is right. The wonder should be more strong since "connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer"
๐Ÿ‘ 2
b

bored-glass-58755

08/22/2022, 11:11 PM
The curl failed with:
Copy code
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:20 --:--:--     0curl: (56) Proxy CONNECT aborted
e

enough-analyst-54434

08/22/2022, 11:17 PM
Ok, getting
curl --cacert ...
working 1st may provide a quicker feedback loop.
Then that setting, once working, should also work for Pants.
b

bored-glass-58755

08/22/2022, 11:18 PM
Can I have the file downloaded (somehow) and keep it with my source or wherever and use it from there every time I execute a goal?
e

enough-analyst-54434

08/22/2022, 11:19 PM
You can, but this will get painful fast. There are many, many more files Pants will try to download.
If you can get your proxy configured and working, that should solve them all in one effort.
b

bored-glass-58755

08/22/2022, 11:20 PM
It will get difficult even if I stick to the same version?
e

enough-analyst-54434

08/22/2022, 11:20 PM
Yes. Typically you have 100s of dependencies.
Taking a step back, how do you configure you current tooling that needs artifacts from the internet?
b

bored-glass-58755

08/22/2022, 11:23 PM
We onboard and host the artifacts internally.
e

enough-analyst-54434

08/22/2022, 11:25 PM
Ok, so then it sounds like the proxy thing is a non-starter anyway. Is that right? In other words, no other build tool you have actually uses the proxy?
If so, then downloading the Pex PEX and configuring
[python-repos] indexes / repos
to your internal artifact repository should cover most things. See here for more detail on everything needed: https://github.com/pantsbuild/pants/issues/16328
b

bored-glass-58755

08/22/2022, 11:27 PM
I think so, but I am surprised how Pants bootstrapped in the first place:
Copy code
Downloading the Pex PEX.
SHA256 fingerprint of <https://github.com/pantsbuild/pex/releases/download/v2.1.62/pex> verified.
e

enough-analyst-54434

08/22/2022, 11:29 PM
So it seems like curl works sometimes in your environment. I.E.: it can pick up the proxy in some cases?
b

bored-glass-58755

08/22/2022, 11:30 PM
It seems so. I am not very much aware of how things are working.
e

enough-analyst-54434

08/22/2022, 11:31 PM
Ok. Well, the pants script I just linked uses --location (-L) which says follow re-directs.
I did not explicitly say for you to do that in your test earlier, probably that is the difference.
So, does
curl -L -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex>
work then?
It really should if Pants bootstrapped.
b

bored-glass-58755

08/22/2022, 11:33 PM
e

enough-analyst-54434

08/22/2022, 11:34 PM
Yeah, you could look at where your browser has its certs configured. Presumably there is some internal documentation about this.
b

bored-glass-58755

08/22/2022, 11:34 PM
Yup
Thanks a lot.
e

enough-analyst-54434

08/22/2022, 11:35 PM
Copy code
$ curl -vvv -O <https://github.com/pantsbuild/pex/releases/download/v2.1.90/pex> 2>&1 | grep CAfile
*  CAfile: /etc/ssl/certs/ca-certificates.crt
That shows me what my curl uses.
๐Ÿ‘ 1
b

bored-glass-58755

08/22/2022, 11:41 PM
Added the certs path to
pants.toml
and package worked.
โค๏ธ 1
๐Ÿ’ฏ 1
e

enough-analyst-54434

08/22/2022, 11:42 PM
Excellent.
๐Ÿ‘ 1
10 Views