pip 9.0.1: SLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) #4459

Comments

az-z commented May 1, 2017 •

Pip version: 9.0.1 Python version: 2.7.13 Operating system: Fedora 25

Description:

expect a normal operation, not an exception.
a note about my environment — i’m runing behind cntlm and the corp proxy.
the pip works only if i provide «—trusted-site» command line parameter.
the valid certificate has been placed into /etc/pki/ca-trust/, but since python is NOT checking that location:

I linked it to /etc/pki/tls/certs/:

yet, still i’m facing the same error.

Why is this an issue:

any software that relies on pip would fail in the situation where it must provide command line parameter. for example atom’s apm.

What I’ve run:

pip -v search pip

at the same time:

The text was updated successfully, but these errors were encountered:

noamelf commented Sep 11, 2017 •

We had this error too with:

This comment has been hidden.

marekyggdrasil commented Sep 15, 2017

dbellavista commented Oct 3, 2017

Same here. I’m trying to use pip behind a corporate proxy.

I have correctly setup the proxy:

• /usr/lib/ssl/certs/ca-certificates.crt correctly include my CA
• /usr/lib/ssl/cert.pem is a symlink to /usr/lib/ssl/certs/ca-certificates.crt
• curl works correcly

python -c «import ssl; print(ssl.get_default_verify_paths())»

pip search SimpleHTTPServer

• pip —cert /usr/lib/ssl/cert.pem search SimpleHTTPServer works
• as well as REQUESTS_CA_BUNDLE=»/usr/lib/ssl/cert.pem» pip search SimpleHTTPServer

However since I’m using an automatic provisioning system I don’t want to edit the pip command to always run with —cert or setting up specific environments just for supporting pip . And for security reasons, using PIP_TRUSTED_HOST is not an options.

Is there a way to automatically setup the certfile?

0x00evil commented Oct 27, 2017

Got the same problem when install pyspark with pip3.
pip3 install pyspark

OS: MacOS 10.11
pip: 9.0.1

butterl commented Apr 21, 2018

any solution here？

dpdornseifer commented May 14, 2018

There is an issue regarding TLS name verification in pip 9.0.1. You can update it via

If you are using virtualenv, you can use virtualenv 15.2.0 (https://pypi.org/project/virtualenv/) there the pip version has been fixed.

pradyunsg commented Jun 6, 2018

On older versions of pip, you might be facing these SSL issues (likely due to the lack of support for TLS 1.2 on the system).

If you trust the hosts for PyPI or upgrade to a newer pip using:

If the above doesn’t work, let me know. 🙂

25b3nk commented Sep 12, 2018

Still could not use pip3 to install or upgrade.
System: Ubuntu 16.04
Python-3.6.3
pip-9.0.1

pradyunsg commented Sep 14, 2018

henrytom1703 commented Sep 29, 2018 •

Hello,
I have also this issues.

pip 18.0 from c:\python27\lib\site-packages\pip (python 2.7)

wkruse commented Mar 11, 2019

pip —cert /etc/ssl/certs/ca-bundle.crt install —no-cache-dir awscli works.

Seems like SSL_CERT_FILE is ignored by pip .

ghost commented Mar 16, 2019 •

i’m getting the same error

ghost commented Mar 20, 2019 •

I’m facing the same issue from morning.

I’hv tried all options suggested but doesn’t work, I spent entire day debugging it but of no use.

Mac 10.13.6
py 3.6

Ranjanpiyush commented Mar 21, 2019 •

i am also facing the same issue since the last 15 hours. Tried using the trusted-source that works for pip but when connecting to Salesforce through python using simple_salesforce i am getting the same SSL Error. any help will be highly appreciated.
Python version 3.6.6
OS Windows 8

ghost commented Mar 21, 2019

I removed verify_ssl = True and it’s working for now.
However, this issue made a mess of my python environment. I did many things as mentioned in variosu SO posts and don’t even remember what all I did. Final result is that my python env is broken and I’hv installed py 3.7 fresh in a separate venv and using it for the time being.

Really frustrating experience

Ranjanpiyush commented Mar 22, 2019

i reinstalled python and all the relevant packages but still getting the same error. Is it possible this might be caused by the firewall settings of my organization?

cdauth commented Apr 19, 2019

I came across this error while operating in a chroot environment. I solved it by running on the host system:

KhanterWinters commented Jun 10, 2019 •

I am getting this while trying to install a Package:

chrahunt commented Oct 6, 2019

First off, sorry for any frustration this has caused. I’ve been there, and it sucks. There are a lot of moving parts to debug and understand in issues like these, and it doesn’t help that some of the information on how pip behaves here isn’t documented.

The current pip behavior is described in #6720 (comment). To summarize, here is the precedence for CA certificates (highest to lowest, where a higher one completely overrides the ones below):

1. path provided to —cert
2. Any cert setting in a pip configuration file (overridden as described in the docs)
3. REQUESTS_CA_BUNDLE environment variable
4. CURL_CA_BUNDLE environment variable
5. output of pip._vendor.certifi.where() , by default this is the bundled root CA certs from certifi but it may be overridden by your distribution

pip does not use:

If you are facing issues like those described above, then try the following:

1. If you know that your repository uses a certificate that will need a custom CA certificate to verify, then provide that CA certificate to pip using the —cert option.
2. If it works, then set the cert option in your user-specific configuration file to point to that file.
3. If you are an administrator and you don’t want every user to have to set this, then set it globally using the global pip configuration file relevant to your OS.

I hope there is enough information here to help most of the problems mentioned.

We want to make sure everyone gets help, so let’s proceed like this: I will close this issue. Anyone still having problems, please create a separate issue so we can dig into your specific situation. Try to provide as much information as possible, at least what is mentioned in the Bug Report template. With that we should be able to help you more effectively.

pip always fails ssl verification

Pip always fails ssl even when I do pip install dedupe or pip install —trusted-host pypi.python.org dedupe

The output is always the same no matter what:

Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by ‘SSLError(SSLError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)’),)’: /simple/dedupe/
Retrying.

Could not find a version that satisfies the requirement dedupe (from versions: ) No matching distribution found for dedupe

So I uninstalled anaconda and reinstalled it. Same thing.

Do you think the problem is that my _ssl.c file (which I have no idea where it is) must be corrupt or something? Why would pip need to reference that if I’m telling it to bypass ssl verification anyway?

4 Answers 4

It may be related to the 2018 change of PyPI domains.
Please ensure your firewall/proxy allows access to/from:

So you could give a try to something like:

$ python -m pip install —trusted-host files.pythonhosted.org —trusted-host pypi.org —trusted-host pypi.python.org [—proxy . ] [—user]

Please see $ pip help install for the —user option description (omit if in a virtualenv).
The —trusted-host option doesn’t actually bypass SSL/TLS, but allows to mark host as trusted when (and only when) it does not have valid (or any) HTTPS. It shouldn’t really matter with PiPY because pypi.org (formerly pypi.python.org) does use HTTPS and there is CDN in front of it which always enforces TLSv1.2 handshake requirement regardless of the connecting pip client options.. But if you had your own local mirrors of pypi.org with HTTP-only access, then —trusted-host could be handy. Oh, and if you are behind a proxy, please also make sure to also specify: —proxy [user:passwd@]proxyserver:port
Some corporate proxies may even go as far as to replace the certificates of HTTPS connections on the fly. And if your system clock is out of sync, it could break SSL verification process as well.

If firewall / proxy / clock isn’t a problem, then check SSL certificates being used in pip’s SSL handshake. In fact, you could just get a current cacert.pem (Mozilla’s CA bundle from curl) and try it using the pip option —cert :

/cacert.pem install —user

where —cert argument is system path to your alternate CA bundle in PEM format. (regarding the —user option, please see below).
Or, it’s possible to create a custom config

/.pip/pip.conf and point the option at a valid system cert (or your cacert.pem) as a workaround, for example:
[global]
cert = /etc/pki/tls/external-roots/ca_bundle.pem
(or another pem file)

It’s even possible to manually replace the original cacert.pem found in pip with your trusty CA bundle (if your pip is very old for example). Older pip versions knew to fallback between pip/_vendor/requests/cacert.pem and system stores like /etc/ssl/certs/ca-certificates.crt or /etc/pki/tls/certs/ca-bundle.crt in case of cert issues, but in recent pip it’s no longer the case, as it seems to rely solely on pip/_vendor/certifi/cacert.pem

Basically, pip package uses requests which uses urllib3 which, among other things, verifies SSL certificates; and all of them are shipped (vendored) within pip, along with the certifi package (also included, since pip 9.0.2) that provides current CA bundle (cacert.pem file) required for TLS verification. Requests itself uses urllib3 and certifi internally, and before 9.0.2, pip used cacert.pem from requests or the system. What it all means is that actually updating pip may help fix the CERTIFICATE_VERIFY_FAILED error, particularly if the OS and pip were deployed long ago:

The OP used anaconda, so they could try:
$ conda update pip — because issues can arise if conda and pip are both used together in the same environment. If there’s no pip version update available, they could try:
$ conda config —add channels conda-forge; conda update pip
Alternatively, it’s possible to use conda alone to directly install / manage python packages: it is a tool completely separate from pip, but provides similar features in terms of package and venv management. Its packages come not from PyPI, but from anaconda’s own repositories. The problem is, if you mix both and run conda after pip , the former can overwrite and break packages (and their dependencies) installed via pip, and render it all unusable. So it’s recommended to only use one or the other, or, if you have to, use only pip after conda (and no conda after pip), and only in isolated conda environments.

On normal Linux Python installations without conda:
If you are using a version of pip supplied by your OS distribution, then use vendor-supplied upgrades for a system-wide pip update:
$ sudo apt-get install python-pip or: $ sudo yum install python27-pip
Some updates may not be readily available because distros usually lag behind PyPI. In this case, it’s possible to upgrade pip at your user level (right in your $HOME dir), or inside a virtualenv, like:
$ python -m pip install —user —trusted-host files.pythonhosted.org —trusted-host pypi.org —trusted-host pypi.python.org —upgrade pip
(omit —user if in a virtualenv)
The —user switch will upgrade pip only for the current user (in your home

/.local/lib/) rather than for the whole OS, which is a good practice to avoid interfering with the system python packages. It’s enabled by default in a pip distributed in recent Ubuntu/Fedora versions. Be aware of how to solve ImportError if you don’t use this option and happen to overwrite the OS-level system pip.
Alternatively (also at a user level) you could try:
$ curl -LO https://bootstrap.pypa.io/get-pip.py && python get-pip.py —user
The PyPA script contains a wrapper that extracts the .pem SSL bundle from pip._vendor.certifi.

Otherwise, if still no-go, try running pip with -vvv option to add verbosity to the output and check if there is now another SSLError caused by tlsv1 alert protocol version.

Python (pip) throwing [SSL: CERTIFICATE_VERIFY_FAILED] even if certificate chain updated

This is a followup to a previous SO post.

I am using Windows/cygwin and I have the need for python to understand a custom CA certificate, as the network infrastructure resigns all SSL requests with its own certificate.

If I try to run pip search SimpleHTTPServer , I get the following error message:

I have tried to add the certificates to my list of trusted certificates by doing the following:

1. Copy my .pem file to /etc/pki/ca-trust/source/anchors
2. update-ca-trust extract

I have verified that this works as I can now point to the generated PEM file and run pip successfully: pip —cert /usr/local/ssl/cert.pem search SimpleHTTPServer :

However, I want this to work without having to specify the certificate manually every time. I am hoping to update the certificate chain that python uses:

I have verified that through a series of symlinks, that /usr/local/ssl/cert.pem points to the same file. However, if I execute pip , I still get the [SSL: CERTIFICATE_VERIFY_FAILED] error message.

I uninstalled the Windows version of python, and reinstalled the Cygwin version of python. With it, I ran easy_install-2.7 pip . Now at least I am able to execute pip with the full certificate path without an error message:

Just to be safe, I also tried updating the SSL_CERT_DIR varaible to point to /etc/pki/ca-trust-extracted/pem and set the SSL_CERT_FILE to /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem but these do not work:

What am I doing wrong? Is this a cygwin vs Windows problem? Which PEM files do I need to update?