Pixi add not working behind proxy and firewall

[vigneshmanick]

Checks

• I have checked that this issue has not already been reported.

• I have confirmed this bug exists on the latest version of pixi, using pixi --version.

Reproducible example

pixi init
pixi add python

Issue description

Hello,

thanks for the awesome project. I have an issue when using pixi via proxy and a firewall that intercepts the communications (MITM). I tried to test the demo script to see if it works and this is the following output i get. Any pointers on how to use pixi that's behind proxy with a custome ca-certificate?. I have no issues when running pixi when not behind proxy and firewall.

My os is windows 11 pro and pixi version is 0.17.0

ERROR fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.json.zst): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
ERROR fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
  × failed to fetch repodata from channels
  ├─▶ Request error: error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst):
  │   error trying to connect: tcp connect error: A connection attempt failed because the connected party did not
  │   properly respond after a period of time, or established connection failed because connected host has failed to
  │   respond. (os error 10060)
  ├─▶ error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst): error trying
  │   to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond
  │   after a period of time, or established connection failed because connected host has failed to respond. (os error
  │   10060)
  ├─▶ error trying to connect: tcp connect error: A connection attempt failed because the connected party did not
  │   properly respond after a period of time, or established connection failed because connected host has failed to
  │   respond. (os error 10060)
  ├─▶ tcp connect error: A connection attempt failed because the connected party did not properly respond after a
  │   period of time, or established connection failed because connected host has failed to respond. (os error 10060)
  ╰─▶ A connection attempt failed because the connected party did not properly respond after a period of time, or
      established connection failed because connected host has failed to respond. (os error 10060)

Thanks!

Expected behavior

pixi add works without any timeout

[ruben-arts]

Hey could you let us know if it works with --tls-no-verify?

[vigneshmanick]

unfortunately still the same error. For testing, i tried to create another env with conda and i got the following error

conda create -n test python
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')': /pkgs/r/win-64/repodata.json.zst

After pointing conda to the certificate the process works normally/as expected conda config --set ssl_verify C:\\Users\\user\\custom_rootcert.crt

So i guess the same config is missing here in pixi?

pixi global install ruff --tls-no-verify

 WARN pixi::utils::reqwest: TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
⠁ fetching package metadata
  ⠉ conda-forge/win-64   [00:00:12] [────────────────────]      0 B @ 0 B/s
  ⠉ conda-forge/noarch   [00:00:12] [────────────────────]      0 B @ 0 B/s
PS C:\Users\user\data\source\repos\> pixi global install ruff --tls-no-verify -vvv
 INFO pixi::config: Global config not found at C:\Users\user\AppData\Roaming\pixi\config.toml
 INFO pixi::config: Loading global config from C:\Users\user\.pixi\config.toml
 WARN pixi::utils::reqwest: TLS verification is disabled. This is insecure and should only be used for testing or internal networks.
DEBUG rattler_repodata_gateway::fetch: Cache is 15h 43m 3s 89ms 487us 100ns old but can at most be 20m old. Assuming out of date...
 INFO fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch::jlap: fetching JLAP state from https://conda.anaconda.org/conda-forge/noarch/repodata.jlap (bytes=10222687-)
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: reqwest::connect: starting new connection: https://conda.anaconda.org/

DEBUG hyper::client::connect::dns: resolving host="conda.anaconda.org"
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.15.67:443
DEBUG rattler_repodata_gateway::fetch: Cache is 15h 43m 2s 43ms 8us 500ns old but can at most be 20m old. Assuming out of date...
 INFO fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch::jlap: fetching JLAP state from https://conda.anaconda.org/conda-forge/win-64/repodata.jlap (bytes=5921529-)
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: reqwest::connect: starting new connection: https://conda.anaconda.org/  
DEBUG hyper::client::connect::dns: resolving host="conda.anaconda.org"
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.15.67:443
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.16.67:443
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.16.67:443
 WARN fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: Error during JLAP request: Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.jlap): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: fetching 'https://conda.anaconda.org/conda-forge/noarch/repodata.json.zst'
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: reqwest::connect: starting new connection: https://conda.anaconda.org/  
DEBUG hyper::client::connect::dns: resolving host="conda.anaconda.org"
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.15.67:443
 WARN fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: Error during JLAP request: Request error: error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.jlap): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: fetching 'https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst'
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: reqwest::connect: starting new connection: https://conda.anaconda.org/  
DEBUG hyper::client::connect::dns: resolving host="conda.anaconda.org"
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.15.67:443
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.16.67:443
DEBUG fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: hyper::client::connect::http: connecting to 104.17.16.67:443
ERROR fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.json.zst): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
ERROR fetch_repo_data{cache_path=C:\Users\user\AppData\Local\rattler/cache\repodata}: rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst): error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (os error 10060)
  × failed to fetch repodata from channels
  ├─▶ Request error: error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst): error trying to connect: tcp connect
  │   error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed
  │   because connected host has failed to respond. (os error 10060)
  ├─▶ error sending request for url (https://conda.anaconda.org/conda-forge/win-64/repodata.json.zst): error trying to connect: tcp connect error: A
  │   connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because
  │   connected host has failed to respond. (os error 10060)
  ├─▶ error trying to connect: tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time,
  │   or established connection failed because connected host has failed to respond. (os error 10060)
  ├─▶ tcp connect error: A connection attempt failed because the connected party did not properly respond after a period of time, or established
  │   connection failed because connected host has failed to respond. (os error 10060)
  ╰─▶ A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because
      connected host has failed to respond. (os error 10060)

[tdejager]

@baszalmstra didn't we see this before with the native-tls vs rusttls version?

[baszalmstra]

Would it be possible to add the certificate to you're systems root trust store? Pixi does read certificates from there. It doesnt support passing a custom self signed certificate.

[vigneshmanick]

unfortunately the machine is locked down (all the dev machines are). I have no rights to update the cert store and this is why i manually enter the value to the conda config.

[vigneshmanick]

so i tried on another work machine that has the certficates added to the systems root store and i get the following error

pixi install -v --tls-no-verify
 INFO pixi::config: Global config not found at /home/user/.config/pixi/config.toml
 INFO pixi::config: Global config not found at /scratch/user/myprograms/pixi/config.toml
 INFO pixi::environment: verifying prefix location is unchanged, with prefix file: /scratch/user/projects/test_pixi/.pixi/envs/default/conda-meta/pixi_env_prefix
 INFO pixi::lock_file::outdated: environment 'default' is out of date because it does not exist in the lock-file.
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/noarch/repodata.json.zst': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.json.zst): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/noarch/repodata.json.bz2': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.json.bz2): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/noarch/repodata.jlap': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.jlap): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
ERROR rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/noarch/repodata.json): error trying to connect: dns error: failed to lookup address information: Name does not resolve
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/linux-64/repodata.json.zst': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.json.zst): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/linux-64/repodata.json.bz2': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.json.bz2): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
 WARN rattler_repodata_gateway::fetch: failed to perform HEAD request on 'https://conda.anaconda.org/conda-forge/linux-64/repodata.jlap': Request error: error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.jlap): error trying to connect: dns error: failed to lookup address information: Name does not resolve. Assuming its unavailable..
ERROR rattler_repodata_gateway::fetch: error=Request error: error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.json): error trying to connect: dns error: failed to lookup address information: Name does not resolve
  x failed to fetch repodata from channels
  |-> Request error: error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.json): error trying to connect: dns error: failed to lookup address information: Name does not
  |   resolve
  |-> error sending request for url (https://conda.anaconda.org/conda-forge/linux-64/repodata.json): error trying to connect: dns error: failed to lookup address information: Name does not resolve
  |-> error trying to connect: dns error: failed to lookup address information: Name does not resolve
  |-> dns error: failed to lookup address information: Name does not resolve
  `-> failed to lookup address information: Name does not resolve

[vigneshmanick]

i think i have figured out the solution for windows (should be the same for other OS too). It requires the SSL_CERT_FILE and both the http_proxy and https_proxy environment variables set. Once these have all been set, the connection works.

Rustls mentions the SSL_CERT_FILE here

For proxy , I followed the steps from conda documentation as mentioned here and listed below for sake of clarity

1. In the Start menu, search for “env”.
2. Select “Edit Environment Variables for your account”
3. Select “Environment Variables…”
4. Press “New…”
5. Add two variables http_proxy and https_proxy both with the same value: http://proxy-xx:XXX/
6. Add another variable SSL_CERT_FILE with the value as path to the custom cert file e.g C:\Users\user\data\custom-cert.crt

After this open a new terminal and the pixi commands e.g pixi add pydantic should work

[ruben-arts]

Closing this Issue for now with the latest comment from @vigneshmanick as solution.

[wolfv]

@ruben-arts should we track that we want to add ssl_cert or something along those lines as a global config option? Mabye proxies as well.