puller.par fails with SSL: CERTIFICATE_VERIFY_FAILED

[calder]

On a host with custom CA certs behind a man-in-the-middle'ing firewall, puller.par fails to verify gcr.io's cert and the image pull fails.

puller.par --directory /home/ccoalson/.cache/bazel/_bazel_ccoalson/6ee755f59ce88cc5a69b6f20e9174b66/external/cc_image_base/image --name gcr.io/distroless/cc@sha256:7a52af4e4f09c905f2264c99ec75f65481fd132454f3ff4dd06962c99c7dab6e
F0315 14:32:40.860797   14008 __main__.py:125] Error pulling and saving image gcr.io/distroless/cc@sha256:7a52af4e4f09c905f2264c99ec75f65481fd132454f3ff4dd06962c99c7dab6e: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Since image integrity is already verified by digest, I don't see much harm in adding an insecure mode where SSL (or at least cert verification) is disabled. Thoughts?

[calder]

Related issues and pull requests:

• Puller not working with (custom) system certs #273
• Use system certs for transports if possible google/containerregistry#50
• Add new option cacerts. google/containerregistry#52
• [WIP] Add SSL Certificate Support to Fast Pull and Push google/containerregistry#39

[calder]

Closing this as a duplicate of #273.

[calder]

For posterity, this was fixed for me by:

sudo pip install httplib2.system-ca-certs-locater