cannot download the amplicon distro or get it to install without a certificate

MattyKutna · November 13, 2023, 3:37pm

GM, first time poster here. I'm trying to help a user in our environment get QIIME2 working.

The user is on a windows 10 machine but we have WSL installed and are using Ubuntu2 as the distro. I'm using the instructions posted here:

Natively installing QIIME 2 — QIIME 2 2023.9.2 documentation

I've got Conda and Mamba installed but cannot create the environment using "mamba env create" command.

- Have you searched for the problem on the forum? It is rare that we see a new question asked, so make sure you do your homework before asking for us to commit our time to helping you.
Yes, there are many entries for my issue but I'm not seeing a specific one with my issue being resolved.

- Version of QIIME 2 you are running, and how it is installed (e.g. Virtualbox, conda, etc.)
Haven't gotten the QIIME2 installation working yet.

- What is the exact command or commands you ran? Copy and paste please.
1 - wget https://data.qiime2.org/distro/shotgun/qiime2-shotgun-2023.9-py38-linux-conda.yml
2 - mamba env create -n qiime2-amplicon-2023.9 --file qiime2-amplicon-2023.9-py38-linux-conda.yml

I am unable to download the file using command "1" but was able to download it using the no check certificate flag. I then tried to use command "2" but received another error.

- What is the exact error message? If you didn't run the command with the --verbose flag, please re-run and copy-and-paste the results.
-------------------------------------------------------1--------------------------------------------------------------------------------
--2023-11-08 17:08:57-- https://data.qiime2.org/distro/shotgun/qiime2-shotgun-2023.9-py38-linux-conda.yml

Resolving data.qiime2.org (data.qiime2.org)... 54.200.1.12

Connecting to data.qiime2.org (data.qiime2.org)|54.200.1.12|:443... connected.

ERROR: cannot verify data.qiime2.org's certificate, issued by ‘[email protected],CN=A10_RES2_SSLi_Cert,OU=ESN,O=Department of the Interior,L=Reston,ST=VA,C=US’:

Unable to locally verify the issuer's authority.

To connect to data.qiime2.org insecurely, use `--no-check-certificate'.
---------------------------------------------------2------------------------------------------------------------------------------------Retrieving notices: ...working... done
https://packages.qiime2.org/qiime2/2023.9/amplic.. Checked 6.4s
https://packages.qiime2.org/qiime2/2023.9/amplic.. Checked 6.0s
conda-forge/noarch 12.5MB @ 10.0MB/s 1.2s
pkgs/r/linux-64 No change
pkgs/main/noarch No change
bioconda/noarch 4.7MB @ 3.5MB/s 1.3s
bioconda/linux-64 5.2MB @ 3.8MB/s 1.4s
pkgs/r/noarch No change
pkgs/main/linux-64 5.5MB @ 3.0MB/s 1.8s
conda-forge/linux-64 30.5MB @ 16.0MB/s 1.9s

>>>>>>>>>>>>>>>>>>>>>> ERROR REPORT <<<<<<<<<<<<<<<<<<<<<<

Traceback (most recent call last):
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/conda/exception_handler.py", line 17, in __call__
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/conda_env/cli/main.py", line 56, in do_call
    exit_code = getattr(module, func_name)(arguments, parser)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/conda/notices/core.py", line 119, in wrapper
    return_value = func(*args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/conda_env/cli/main_create.py", line 164, in execute
    result[installer_type] = installer.install(
                             ^^^^^^^^^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/mamba/mamba_env.py", line 54, in mamba_install
    index = load_channels(pool, channel_urls, repos, prepend=False)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/mamba/utils.py", line 126, in load_channels
    index = get_index(
            ^^^^^^^^^^
  File "/home/sgallotti/miniconda3/lib/python3.11/site-packages/mamba/utils.py", line 107, in get_index
    is_downloaded = dlist.download(api.MAMBA_DOWNLOAD_FAILFAST)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
RuntimeError: Download error (60) SSL peer certificate or SSH remote key was not OK [https://packages.qiime2.org/qiime2/2023.9/amplicon/released/noarch/repodata.json]
SSL certificate problem: unable to get local issuer certificate

$ /home/sgallotti/miniconda3/bin/mamba create -n qiime2-amplicon-2023.9 --file qiime2-amplicon-2023.9-py38-linux-conda.yml

environment variables:
CIO_TEST=
CONDA_AUTO_UPDATE_CONDA=false
CONDA_DEFAULT_ENV=base
CONDA_EXE=/home/sgallotti/miniconda3/bin/conda
CONDA_PREFIX=/home/sgallotti/miniconda3
CONDA_PROMPT_MODIFIER=(base)
CONDA_PYTHON_EXE=/home/sgallotti/miniconda3/bin/python
CONDA_ROOT=/home/sgallotti/miniconda3
CONDA_SHLVL=1
CURL_CA_BUNDLE=
LD_PRELOAD=
PATH=/home/sgallotti/miniconda3/bin:/home/sgallotti/miniconda3/condabin:/us
r/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/
usr/local/games:/usr/lib/wsl/lib:/mnt/c/WINDOWS/system32:/mnt/c/WINDOW
S:/mnt/c/WINDOWS/System32/Wbem:/mnt/c/WINDOWS/System32/WindowsPowerShe
ll/v1.0:/mnt/c/WINDOWS/System32/OpenSSH:/mnt/c/Program Files
(x86)/Pulse Secure/VC142.CRT/X64:/mnt/c/Program Files (x86)/Pulse
Secure/VC142.CRT/X86:/mnt/c/Program Files (x86)/Common Files/Pulse
Secure/VC142.CRT/X64:/mnt/c/Program Files (x86)/Common Files/Pulse
Secure/VC142.CRT/X64:/mnt/c/Program Files (x86)/Common Files/Pulse
Secure/VC142.CRT/X86:/mnt/c/Program Files (x86)/Common Files/Pulse
Secure/TNC Client Plugin:/mnt/c/Program Files
(x86)/REFPROP:/mnt/c/Program Files/dotnet:/mnt/c/Users/sgallotti/AppDa
ta/Local/Microsoft/WindowsApps:/snap/bin
REQUESTS_CA_BUNDLE=
SSL_CERT_FILE=

 active environment : base
active env location : /home/sgallotti/miniconda3
        shell level : 1
   user config file : /home/sgallotti/.condarc

populated config files : /home/sgallotti/.condarc
conda version : 23.10.0
conda-build version : not installed
python version : 3.11.6.final.0
virtual packages : __archspec=1=skylake
__glibc=2.35=0
__linux=5.10.16.3=0
__unix=0=0
base environment : /home/sgallotti/miniconda3 (writable)
conda av data dir : /home/sgallotti/miniconda3/etc/conda
conda av metadata url : None
channel URLs : conda-forge/linux-64
conda-forge/noarch
main/linux-64
main/noarch
r/linux-64
r/noarch
package cache : /home/sgallotti/miniconda3/pkgs
/home/sgallotti/.conda/pkgs
envs directories : /home/sgallotti/miniconda3/envs
/home/sgallotti/.conda/envs
platform : linux-64
user-agent : conda/23.10.0 requests/2.31.0 CPython/3.11.6 Linux/5.10.16.3-microsoft-standard-WSL2 ubuntu/22.04.3 glibc/2.35 solver/libmamba conda-libmamba-solver/23.11.0 libmambapy/1.5.3
UID:GID : 1000:1000
netrc file : None
offline mode : False

An unexpected error has occurred. Conda has prepared the above report.
If you suspect this error is being caused by a malfunctioning plugin,
consider using the --no-plugins option to turn off plugins.

Example: conda --no-plugins install

Alternatively, you can set the CONDA_NO_PLUGINS environment variable on
the command line to run the command without plugins enabled.

Example: CONDA_NO_PLUGINS=true conda install

Thanks for all your help!

Matt

colinbrislawn · November 13, 2023, 4:00pm

Hello Matt,

Thanks for reaching out to us!

Something is funky, as disabling ssl certs is never the best solution...

Does your system have other network connectivity limitations? I'm thinking company firewall, country firewall, etc?

Can you update other software, or is anaconda/conda/mamba fully broken?

mamba update mamba
mamba update wget

MattyKutna · November 13, 2023, 6:02pm

I can update mamba, wget says it is up to date:

--------------------------------------------------------------------------------------------------------------------------------------------(base) sgallotti@IGSAAA071L00190:/mnt/c/Users/sgallotti$ mamba update mamba

Looking for: ['mamba']

pkgs/main/noarch No change
pkgs/r/linux-64 No change
pkgs/r/noarch No change
pkgs/main/linux-64 No change
conda-forge/noarch 12.6MB @ 11.1MB/s 1.1s
conda-forge/linux-64 30.5MB @ 16.2MB/s 1.9s

Pinned packages:

python 3.11.*

Transaction

Prefix: /home/sgallotti/miniconda3

Updating specs:

mamba
ca-certificates
certifi
openssl

Package Version Build Channel Size
──────────────────────────────────────────────────────────────────
Change:
──────────────────────────────────────────────────────────────────

libmamba 1.5.3 had39da4_1 conda-forge Cached

libmamba 1.5.3 had39da4_2 conda-forge 2MB

libmambapy 1.5.3 py311hf2555c7_1 conda-forge Cached

libmambapy 1.5.3 py311hf2555c7_2 conda-forge 303kB

mamba 1.5.3 py311h3072747_1 conda-forge Cached

mamba 1.5.3 py311h3072747_2 conda-forge 66kB

Summary:

Change: 3 packages

Total download: 2MB

──────────────────────────────────────────────────────────────────

Confirm changes: [Y/n] y
mamba 66.4kB @ 862.1kB/s 0.1s
libmamba 1.7MB @ 12.4MB/s 0.1s
libmambapy 303.3kB @ 2.2MB/s 0.1s

Downloading and Extracting Packages:

Preparing transaction: done
Verifying transaction: done
Executing transaction: done
(base) sgallotti@IGSAAA071L00190:/mnt/c/Users/sgallotti$ mamba update wget

Looking for: ['wget']

conda-forge/linux-64 Using cache
conda-forge/noarch Using cache
pkgs/main/linux-64 Using cache
pkgs/main/noarch Using cache
pkgs/r/linux-64 Using cache
pkgs/r/noarch Using cache

Pinned packages:

python 3.11.*

Transaction

Prefix: /home/sgallotti/miniconda3

All requested packages already installed

Still getting an error when attempting to download with wget. Im putiing extra spaces in my links because the forum wouldnt let me post another link.

wget https:// data. qiime2. org/distro/shotgun/qiime2-shotgun-2023.9-py38-linux-conda.yml
--2023-11-13 12:53:05-- https:// data. qiime2. org/distro/shotgun/qiime2-shotgun-2023.9-py38-linux-conda.yml
Resolving -data.qiime2.org (data .qiime2.org)... 54.200.1.12
Connecting to -data.qiime2.org (data .qiime2.org)|54.200.1.12|:443... connected.
ERROR: cannot verify -data.qiime2.org's certificate, issued by ‘[email protected],CN=A10_RES2_SSLi_Cert,OU=ESN,O=Department of the Interior,L=Reston,ST=VA,C=US’:
Unable to locally verify the issuer's authority.
To connect to data. qiime2. org insecurely, use `--no-check-certificate'.

colinbrislawn · November 13, 2023, 6:47pm

OK, we are making progress!

EDIT: Perhaps not:
~~This confirms that the problem is related to the Qiime2 conda channel (yes, we have our own conda channel) and that other channels work fine.~~

@lizgehret is the deployment engineer who can tell us more

colinbrislawn · November 14, 2023, 1:28am

Hello Matt,

I messed up. Thank you for reminding me that this issue is at the wget step.

From my computer, the server and that URL are working fine, which implies that something is still wrong with the wget / SSL setup on this machine.

This error essentially means that it can't locally verify the cert associated with data.qiime2.org (which is where we host all of our data URLs). Perhaps there is an outdated version of openssl or ca-certificates being called by wget.

Is the wget from conda being installed? Run which wget to find out.
Can you download other files, or transfer files to this machine another way?

MattyKutna · November 14, 2023, 3:02pm

So the issue is with our org firewall or certs. The user was working from home today and I was able to wget the file and create the environment. Sorry for the false alarm, hopefully this info will help others with the same cert issues.

Thanks again for your time and attention, have a great day!