pip SSL certificate errors

[mcandre]

Many users are reporting problems with pip[3] accessing the main pip repository to download packages. This happens for me, for example, in Windows 10. But I see a lot of reports for other operating systems as well. Unfortunately, just about every solution posted online involves disabling SSL certificate verification, blindly trusting servers that advertise on the pip domain names.

I'm not sure that this is secure, as a Man-in-the-Middle attack could involve spoofing the pip repository servers and injecting malware into the transferred packages. Could we fix the root cause of this problem, so that pip correctly loads certificate chains from the OS, and fix any issues with the pip repository server certificate configurations?

[ewdurbin]

Hi @mcandre! Thanks for your report and concern regarding pip security.

This issue is probably best suited for discussion on pip's issue tracker unless you believe there is a misconfiguration of pypi.org TLS. If I don't hear back from you in a few days, I'll transfer the issue either way.

[duckinator]

I encountered this problem when trying to set up CI on Windows for a project of mine.

In my case, I was able to download http://curl.haxx.se/ca/cacert.pem to C:\cacert.pem then run:

pip --cert C:\cacert.pem install certifi

And installing certifi fixed it properly (by installing the same cacert.pem I did manually).

(EDIT: Fixed a missing word in the command.)

[varkap44]

I get following error with:
pip --cert ~/Downloads/cacert.pem certifi
ERROR: unknown command "certifi"

This TLS upgrade seems to be an egg and chicken problem

More over
pip install certifi
Requirement already satisfied: certifi in /anaconda2/lib/python2.7/site-packages (2018.11.29)
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')",),)) - skipping

[duckinator]

Oh, sorry, I meant been pip --cert C:\cacert.pem install certifi.

So in your case, it'd be pip --cert ~/Downloads/cacert.pem install certify.

But it looks like your issue may be different than mine was.

[varkap44]

Oh, sorry, I meant been pip --cert C:\cacert.pem install certifi.

So in your case, it'd be pip --cert ~/Downloads/cacert.pem install certify.

But it looks like your issue may be different than mine was.

This is what i get with pip --cert ~/Downloads/cacert.pem install certifi:

Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLEOFError(8, u'EOF occurred in violation of protocol (_ssl.c:727)'),)) - skipping

Besides certifi is already installed as part of the anaconda package (along with pip)

Also brew and conda install is not working giving the same error
Looks like a certificate error.
Checked my openssl version of system and anaconda both support TLS1.2.
MacOS uses key chain for its certificates

Additionally i have run below command to check openssl:
openssl s_client -connect repo.anaconda.com:443 -CApath ~/Downloads/cacert.pem

Result:

CONNECTED(00000006)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

SSLHandshake looks to be fine with SSL.

[chrahunt]

Hi @mcandre. Reliably determining the OS-level trust store to use is non-trivial and outside of the scope of pip. I would follow psf/requests#2966 for updates, since that would be the most likely route something like this gets into pip. For additional context, we have already tried and then reverted some OS-specific trust store path determination because even for a single platform there are deviations between different distributions.

@varkap44, if you're still experiencing problems can you please create a separate issue?

[varkap44]

@chrahunt I am not experiencing the issue anymore.

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.