Could not find a suitable TLS CA certificate bundle, when installing dependencies

[whs]

• Poetry version: 1.2.1
• Python version: 3.9.2
• OS version and name: Debian bullsye (from Docker)
• pyproject.toml: https://gist.github.com/whs/853015545e6e84f102ef62ce9c8acad5

• I am on the latest stable Poetry version, installed using a recommended method.
• I have searched the issues of this repo and believe that this is not a duplicate.
• I have consulted the FAQ and blog for any relevant entries or release notes.
• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option) and have included the output below.

Issue

Using the Dockerfile and pyproject.toml from the gist, I'm able to replicate #5977

  OSError

  Could not find a suitable TLS CA certificate bundle, invalid path: /usr/local/lib/python3.9/dist-packages/certifi/cacert.pem

  at /usr/local/lib/python3.9/dist-packages/requests/adapters.py:263 in cert_verify
      259│             if not cert_loc:
      260│                 cert_loc = extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
      261│ 
      262│             if not cert_loc or not os.path.exists(cert_loc):
    → 263│                 raise OSError(
      264│                     f"Could not find a suitable TLS CA certificate bundle, "
      265│                     f"invalid path: {cert_loc}"
      266│                 )
      267│ 

I've tested these variants:

• The same case does work normally with python:3.10 (python@sha256:e9c35537103a2801a30b15a77d4a56b35532c964489b125ec1ff24f3d5b53409) image
• In some case I can get it to break without installing requests, but I'm unable to produce a public test case
• It reproduce on both bullseye (debian@sha256:3e82b1af33607aebaeb3641b75d6e80fd28d36e17993ef13708e9493e30e8ff9) and bullseye-slim (debian@sha256:5cf1d98cd0805951484f33b34c1ab25aac7007bb41c8b9901d97e4be3cf3ab04)

[neersighted]

This is not a valid reproduction -- you have installed Poetry into the system packages directory and then installed your own project into it. You are running into Poetry shifting certifi underneath itself while it is still running and removing the SSL CA bundle out from under itself. This creates a race and the next package cannot be retrieved due to not having a CA bundle.

To prevent this, please use a recommended method (as suggested in the docs/issue template) -- we cannot provide support for this unsupported configuration of Poetry, as there is simply no way to prevent Poetry from changing its own dependencies when sharing an environment with your project.

Also, please consider #6398 -- there is no good reason in 95% of circumstances to avoid a virtual environment in a container, and you expose yourself to all sorts of fun sharp edges if you choose not to use them. They serve as a barrier against decisions and contamination from your Python packager/distro as well as other projects (like Poetry itself).

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.