certificate verify failed: unable to get local issuer certificate

SIAESDSI

In my Dataiku UI, I created two Python environments under Code Envs:

• One for Python 3.12
• One for Python 3.9

Each environment installs the Python libraries listed in “packages to install” by retrieving them from repositories hosted on an Artifactory.

I imported the Artifactory certificate into the keystore of my Dataiku VM to allow communication.

In the extra options field, I specified --index-url along with the Artifactory token created for Dataiku and the repository name: one for Python 3.9, one for Python 3.12.

With the Python 3.12 environment, everything works correctly: I can rebuild the environment and it retrieves and installs the Python libraries as expected.

However, with the Python 3.9 environment I get a certificate error:

WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)'))': /artifactory/api/pypi/python-libraries-dataiku-3.9/simple/pip/

If I add --trusted-host <my-artifactory-address> in the extra options, it works.
However, I would like to avoid relying on this approach and instead configure the Python 3.9 environment in a secure way, similar to the Python 3.12 environment that works correctly.

Yasmine_T

Hi @SIAESDSI ,

This question has been answered on your previous post by my colleague Alexandru.

https://community.dataiku.com/discussion/45219/warning-retrying-retry-total-1-connect-none-read-none-redirect-none-status-none-after-connec

For reference:

The difference is that Python < 3.10 ignores the OS truststore and relies only on certifi by default.

You will need to pass --use-feature=truststore for it to behave the same way as by default in Python 3.12

https://pypi.org/project/truststore

https://pip.pypa.io/en/stable/topics/https-certificates

Best,

Yasmine