WFPiConsole Update issue - invalid or expired cert?

Developers WeatherFlow PiConsole
1

Haven’t had issues in the past but now when trying to go from 25.2.1 to 25.9.2 I receive the following error:

 [✗] Updating Python module
  Error: Unable to update Python module: ephem

 Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting ephem==4.2
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)'))': /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)'))': /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)'))': /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)'))': /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)'))': /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='archive1.piwheels.org', port=443): Max retries exceeded with url: /simple/ephem/ephem-4.2-cp39-cp39-linux_armv7l.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137)')))

Any thoughts here? Haven’t seen this issue posted before so thought I’d create a new thread. This is on: Raspbian GNU/Linux 11 (bullseye)

Thanks in advance for any help here

2

Always google for your exact error. The answer appears right away at the top of the page.

3

Did you manage to fix your issue?

4

I was out of town for a few days and just re-ran the update. It worked, so my assuption is that they updated their cert on the archive1.piwheels.org server which was throwing the error. I would call this most likely just a temporary issue which is now resolved.

1 Like
5

Telling people to google isn’t a useful reply. Of course I googled and of course it told me it was a cert issue.

6

The error message SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1137) indicates that an SSL/TLS certificate used in a secure connection has passed its validity period and is no longer considered trustworthy. This prevents the establishment of a secure connection.

Here are potential solutions to address this issue:

  • Renew the Expired Certificate:

    If you are the owner or administrator of the server using the expired certificate, you must renew it through your Certificate Authority (CA) and install the new certificate on the server.

  • Verify System Date and Time:

    Ensure that the date and time on the machine encountering the error are accurate. An incorrect system clock can lead to certificates appearing expired prematurely.

  • Update Certificate Bundles:

    The list of trusted Certificate Authorities (CAs) on your system or in your application might be outdated. Update your system’s CA certificates or the certifi package in Python, if applicable.

Code

    pip install --upgrade certifi

Disagree. Trying to teach people how to fend for themselves is always a useful reply. If you had googled for that exact message and looked for the suggestions at the top of the found results, you’d have seen how to update your certs.

7

upgrading certifi wasn’t the problem (and I didn’t do that) - the server correcting their expired cert was - which I couldn’t control, just had to wait.

I would in general take the assumption that anyone monkeying around with one of these likely knows how to google or they wouldn’t have found it to begin with it’s not exactly promoted everywhere.

8

Is there a command line switch somewhere in the Python update process that can be used to skip the certificate validation? Many apps have this, to skip validating self-signed certs…

9

Quick looks seems to be a yes….

(from Google)

Disable Verification (Temporary/Development Only): In development or testing environments, you might temporarily disable SSL certificate verification.This is not recommended for production environments due to security risks.

    • In Python with the requests library, you can use verify=False.

    • For curl, use the -k or --insecure option.

(wfpiconsole.sh line 863 or so)

update() {

# Fetch the latest update code directly from the main Github branch. This
# ensures that changes in dependencies are addressed during this update
curl -sSL $WFPICONSOLE_MAIN_UPDATE | bash -s run_update

}

So my untested guess is adding -k to the curl options might do the trick….

1 Like