pip: pip 9.0.1: SLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

  • Pip version: 9.0.1
  • Python version: 2.7.13
  • Operating system: Fedora 25

Description:

expect a normal operation, not an exception. a note about my environment - i’m runing behind cntlm and the corp proxy. the pip works only if i provide “–trusted-site” command line parameter. the valid certificate has been placed into /etc/pki/ca-trust/, but since python is NOT checking that location:

python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/pki/tls/cert.pem', capath='/etc/pki/tls/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')

I linked it to /etc/pki/tls/certs/:

[root@netdev ~]# ln -s /etc/pki/ca-trust/Proxy_215_PEM.cer /etc/pki/tls/certs/
[root@netdev ~]# ls -l /etc/pki/tls/certs/
total 12
lrwxrwxrwx 1 root root   49 Apr  4 17:37 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root   55 Apr  4 17:37 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rwxr-xr-x 1 root root  610 Feb  6 11:04 make-dummy-cert
-rw-r--r-- 1 root root 2516 Feb  6 11:04 Makefile
lrwxrwxrwx 1 root root   35 May  1 12:33 Proxy_215_PEM.cer -> /etc/pki/ca-trust/Proxy_215_PEM.cer
-rwxr-xr-x 1 root root  829 Feb  6 11:04 renew-dummy-cert

yet, still i’m facing the same error.

Why is this an issue:

any software that relies on pip would fail in the situation where it must provide command line parameter. for example atom’s apm.

What I’ve run:

pip -v search pip

python -V
Python 2.7.13
[az@netdev ~]$ pip -V
pip 9.0.1 from /usr/lib/python2.7/site-packages (python 2.7)
[az@netdev ~]$ pip -v search pip 
Starting new HTTPS connection (1): pypi.python.org
Exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/lib/python2.7/site-packages/pip/commands/search.py", line 45, in run
    pypi_hits = self.search(query, options)
  File "/usr/lib/python2.7/site-packages/pip/commands/search.py", line 62, in search
    hits = pypi.search({'name': query, 'summary': query}, 'or')
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1243, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1602, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/site-packages/pip/download.py", line 775, in request
    headers=headers, stream=True)
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 522, in post
    return self.request('POST', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/site-packages/pip/download.py", line 386, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/pip/_vendor/cachecontrol/adapter.py", line 47, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
**SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)**

at the same time:

[az@netdev ~]$ pip -v search pip --trusted-host pypi.python.org
Starting new HTTPS connection (1): pypi.python.org
"POST /pypi HTTP/1.1" 200 None
test-install-1 (1.0.0)                               - this is to test the pip install
abel-airflow (1.7.1.3.post3)                         - Programmatically author, schedule and monitor data pipelines
pip-accel (0.43)                                     - Accelerator for pip, the Python package manager

<skipped>

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 8
  • Comments: 20 (4 by maintainers)

Most upvoted comments

Just dropping in to say, one possible workaround might be to set PIP_TRUSTED_HOST as pypi.python.org.

+7
pradyunsg on Oct 6, 2019

I removed verify_ssl = True and it’s working for now. However, this issue made a mess of my python environment. I did many things as mentioned in variosu SO posts and don’t even remember what all I did. Final result is that my python env is broken and I’hv installed py 3.7 fresh in a separate venv and using it for the time being.

Really frustrating experience

+2
ghost on Mar 21, 2019

There is an issue regarding TLS name verification in pip 9.0.1. You can update it via

$ curl https://bootstrap.pypa.io/get-pip.py >> get-pip.py
$ python get-pip.py

If you are using virtualenv, you can use virtualenv 15.2.0 (https://pypi.org/project/virtualenv/) there the pip version has been fixed.

+2
dpdornseifer on May 14, 2018

First off, sorry for any frustration this has caused. I’ve been there, and it sucks. There are a lot of moving parts to debug and understand in issues like these, and it doesn’t help that some of the information on how pip behaves here isn’t documented.

The current pip behavior is described in #6720 (comment). To summarize, here is the precedence for CA certificates (highest to lowest, where a higher one completely overrides the ones below):

  1. path provided to --cert
  2. Any cert setting in a pip configuration file (overridden as described in the docs)
  3. REQUESTS_CA_BUNDLE environment variable
  4. CURL_CA_BUNDLE environment variable
  5. output of pip._vendor.certifi.where(), by default this is the bundled root CA certs from certifi but it may be overridden by your distribution

pip does not use:

  1. ssl.get_default_verify_paths()
  2. SSL_CERT_FILE

If you are facing issues like those described above, then try the following:

  1. If you know that your repository uses a certificate that will need a custom CA certificate to verify, then provide that CA certificate to pip using the --cert option.
  2. If it works, then set the cert option in your user-specific configuration file to point to that file.
  3. If you are an administrator and you don’t want every user to have to set this, then set it globally using the global pip configuration file relevant to your OS.

I hope there is enough information here to help most of the problems mentioned.

We want to make sure everyone gets help, so let’s proceed like this: I will close this issue. Anyone still having problems, please create a separate issue so we can dig into your specific situation. Try to provide as much information as possible, at least what is mentioned in the Bug Report template. With that we should be able to help you more effectively.

+1
chrahunt on Oct 6, 2019

Same here

pip 19.0.3 from /usr/local/lib/python3.7/site-packages/pip (python 3.7)

python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/etc/ssl/certs/ca-bundle.crt', capath='/etc/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/ssl/certs')

pip install --no-cache-dir awscli
  Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)'))': /simple/awscli/

pip --cert /etc/ssl/certs/ca-bundle.crt install --no-cache-dir awscli works.

Seems like SSL_CERT_FILE is ignored by pip.

+1
wkruse on Mar 11, 2019
Read more comments on GitHub
← pip: Pip 8.0.1 throws SSL: CERTIFICATE_VERIFY_FAILED
pip: pip 9.0.1 tries to build wheels for caching even when wheel is not installed →