SSL root certificates missing on GHA/macOS/Python 3.11

[amotl]

Hi there,

first things first: Thanks a stack for conceiving and maintaining this excellent GHA recipe. It always worked flawlessly for us, but we just ran into a little issue we wanted to share with you. Thank you already for looking into it.

With kind regards,
Andreas.

Description:

We started observing a problem, which is apparently caused by a missing root certificate bundle on GHA/macos-latest, when adding Python 3.11 (3.11-dev) to the test matrix. It still works on any other operating system or Python version. @andyfaff also observed probably the same issue when trying to build wheels for cp311-macosx_x86_64 on GHA, and reported it at pypa/cibuildwheel#1277 the other day. /cc @joerick, @henryiii, @mayeut

Specifically, it looks like the install_certificates.command provisioning program did not get invoked or failed within the installation process. Based on suggestions from others, we have been able to work around the problem by vendoring the program into the repository and running it before anything else, see crate/crate-python@243820d1.

Might actions/python-versions#184 be related?

References

• Unable to verify SSL certificate when trying to build cp311-macosx_x86_64 pypa/cibuildwheel#1277
• certificate verify failed: unable to get local issuer certificate Unbabel/COMET#29 (comment)
• MacOs / SSL: CERTIFICATE_VERIFY_FAILED error when running executeable program? fake-useragent/fake-useragent#131
• SSL Certificate Error matteyeux/autodecrypt#2
• https://stackoverflow.com/a/44649450
• https://developer.shotgridsoftware.com/e9d994eb/

Action version:
actions/setup-python@v4

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

• Python 3.11

Repro steps:
crate/crate-python#450 (already includes a workaround to install the root certificates manually)

Expected behavior:
When downloading resources from https:// URLs using the urllib.request module, Python should not croak.

Actual behavior:
Python croaks like:

Error: Error downloading extends for URL https://cdn.crate.io/downloads/releases/cratedb/x64_mac/crate-5.0.1.tar.gz:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)>
Error: Process completed with exit code 1.

-- https://github.com/crate/crate-python/actions/runs/3152435065/jobs/5127728530#step:4:240

[vsafonkin]

Hi @amotl, thank you for your report, we will take a look at this.

[mayeut]

I opened actions/python-versions#189 to fix this issue.

[vsafonkin]

HI @amotl, I've merged PR with a fix from @mayeut, could you please check your builds?

[amotl]

Hi again,

we can confirm the test run of crate/crate-python#450 just succeeded ¹ without errors after reverting the temporary workaround. Thanks a stack for the super-quick fix, @mayeut. 💯

With kind regards,
Andreas.

Footnotes

1. https://github.com/crate/crate-python/actions/runs/3176456538 ↩

[henryiii]

Can also confirm it works here in a non-cibuildwheel context: scikit-hep/uproot5#743 :)