pip and SSL certificate errors

I am trying to install a library via pip. I have a problem with SSL certificate, even when using the --cert. Trying this on windows (pip version 1.5.4,python version 2.7.6):

pip --cert C:\tmp\cacert.pem install robotframework-archivelibrary --proxy http://myproxy

Getting page https://pypi.python.org/simple/robotframework-archivelibrary/ Could not fetch URL https://pypi.python.org/simple/robotframework-archivelibrary/: connection error: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Any ideas?


Solution 1:

I had similar error messages due to our corporate firewall intercepting SSL (i.e. a transparent SSL proxy). I exported the root CA cert that signs the firewall certificate in .pem format and appended it to the following file:

C:\Python27\Lib\site-packages\pip\_vendor\requests\cacert.pem

That resolved my issue. Your issue might not be exactly the same, but if you get the right CA certificates into the above cacert.pem I'm sure you can get passed your SSL certificate verification failure.

Solution 2:

Since --cert doesn't work for you, probably you're using the wrong certificate file.

Most likely you're behind some corporation proxy, so you should export your root certificate by going to the failing URL (e.g. https://pypi.python.org/simple/robotframework-archivelibrary/, see: How to save a remote server SSL certificate locally as a file).

If it's in CER format, convert it into PEM.

Then use that PEM file, e.g.

pip --cert root-cert.pem install robotframework-archivelibrary

See also: pip install fails with “connection error: [SSL: CERTIFICATE_VERIFY_FAILED]".

Solution 3:

If pip complains about Certificate errors, then add some hosts to pip.ini.
Unfortunately Python 3.x on Win10 does not have any pip.ini file, so you have to create it manually from powershell/cmd with:

  • mkdir C:\ProgramData\pip

  • Create a file C:\ProgramData\pip\pip.ini with notepad:

      [global]
      trusted-host = pypi.org (new-line)
                     files.pythonhosted.org
    

Check it with pip config -v list. You should see this in the last line:

global.trusted-host='pypi.org\nfiles.pythonhosted.org'

The \n denotates a new-line that should be part of the trusted-host entry.

Solution 4:

Add this to your pip config, which on Windows is C:\Users\<user>\pip\pip.ini.

[global]
  trusted-host = pypi.python.org
  proxy = <proxy>:<port>

Find your proxy by following these directions.