1. PyPA
  2. Python Packaging Authority Projects
  3. pypi
  4. Issues


Issue #124 wontfix

Please use a certificate issues for pypi.python.org

Dariusz Suchojad
created an issue


I'm in a middle of resolving an issue with our build infrastructure and apparently the reason for various failures in downloading packages from PyPI is that the certificate pypi.python.org uses has been issued to *.a.ssl.fastly.net - can you please change it?

Hasn't anyone noticed it before?

Thanks a lot.

Comments (5)

  1. Donald Stufft

    The certificate is issues for pypi.python.org. However it is using a SAN instead of the CN. Something in your build chain doesn't support SAN certificates, whatever that is needs fixed.

  2. Donald Stufft

    That's surprising. PyPI has had this certificate since March of 2013 and I haven't heard the buildout users complaining that it isn't working for them. I'd suggest perhaps raising an issue over on their tracker.

    For the record the reason we use a SAN instead of a CN is that PyPI is behind a Fastly provided CDN. If Fastly used the CN for every person who used SSL for their site they would need an additional set of IP addresses in every POP they have for each of their customers. This gets pretty expensive pretty fast. In order to allow people to share a single certificate they use "mega" certificates which just have a bunch of SAN records attached to them for the various sites. Fastly does offer the ability to use the CN but that is a ~1500/month service from them and given that supporting SAN is a good thing to do in general we aren't going to ask them to donate an additional $1500/month service to us ontop of the ~$4000/month service we're already getting from them for free.

  3. Log in to comment