How to fix - Python pip install connection error SSL CERTIFICATE_VERIFY_FAILED certificate verify failed
In this article, we are going to see the error connection error SSL CERTIFICATE_VERIFY_FAILED certificate verify failed (_ssl.c:598) which you might get when you are trying to install Python on your system.
First, we are going to see the Root Cause of the error and then we are going to see 3 different ways to address this issue.
Here is the sample error message which you might be getting -
1Getting page https://pypi.python.org/simple/linkchecker/
2Could not fetch URL https://pypi.python.org/simple/linkchecker/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
3Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkchecker
4Getting page https://pypi.python.org/simple/
5Could not fetch URL https://pypi.python.org/simple/: connection error: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/ (Caused by <class 'http.client.CannotSendRequest'>: Request-sent)
6Will skip URL https://pypi.python.org/simple/ when looking for download links for linkchecker
7Cannot fetch index base URL https://pypi.python.org/simple/
Table of Content
- Root Cause of the problem
- Fix by adding
--trusted-host
param into installation command - Fix by adding the host to pip.conf file
- Fix by importing the CRT from DigiCert
1. Root Cause of the problem
One of the most probable causes of this issue is your sitting behind the company's/corporate firewall and your company's firewall does not trust Python certificates.
Here are the list of hosts. In order to install the python all the certificates issued by the following hosts should be trusted -
There are multiple ways to fix this issue -
2 Add --trusted-host
param into installation command
This could be one of the easiest ways to install Python by adding --trusted-host
params into your installation command.
You need to add at least two parameters under your installation command -
Param 1 : --trusted-host pypi.org
Param 2 : --trusted-host files.pythonhosted.org
Here is the final installation command -
1pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools
Or if you are installing python3-pip
then use the following command
1pip3 install --trusted-host pypi.org --trusted-host files.pythonhosted.org <app>
or
1python3 -m pip install --upgrade Scrapy --trusted-host pypi.org --trusted-host files.pythonhosted.org
3. Fix the error by adding host to pip.conf file
Python allows you to set default command-line options with the help of pip.conf file.
Locate your pip.conf
file based on your operating system -
1. MacOS - $HOME/Library/Application Support/pip/pip.conf
2. Unix - $HOME/.config/pip/pip.conf
3. Windows - %APPDATA%\pip\pip.ini
Open the pip.conf
file and add trusted-host
under the global
param -
1[global]
2trusted-host = pypi.python.org
3 pypi.org
4 files.pythonhosted.org
Restart your python and then the pip installer will trust these hosts permanently.
4. Fix by importing the CRT from DigiCert
This approach is a little tricky but one of the most recommended and secure ways to trust the host.
One more thing you should have OpenSSL
installed onto your system.
Run the following command to see the certificate chain -
1openssl s_client -connect pypi.python.org:443
It should show the following output
1CONNECTED(00000003)
2depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
3verify error:num=20:unable to get local issuer certificate
4verify return:0
5---
6Certificate chain
7 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro,/O=Python Software Foundation/CN=www.python.org
8 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
9 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
10 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
If you look carefully at the output then we have CN=DigiCert High Assurance EV Root CA
.
So we need to download the CA for that.
- You can download the CRT file from DigiCert
- Now you need to convert the CRT to PEM format. Use the following command to achieve that -
1openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -out my-cert.pem
-
Once you run the above command you will get your own
my-cert.pem
file. -
Export the
my-cert.pem
and add it the python environment variablesPIP_CERT
1export PIP_CERT= my-cert.pem
Now you have the correct trusted certificate for your python installation.