How to fix - Python pip install connection error SSL CERTIFICATE_VERIFY_FAILED certificate verify failed



In this article, we are going to see the error connection error SSL CERTIFICATE_VERIFY_FAILED certificate verify failed (_ssl.c:598) which you might get when you are trying to install Python on your system.

First, we are going to see the Root Cause of the error and then we are going to see 3 different ways to address this issue.

Here is the sample error message which you might be getting -

1Getting page https://pypi.python.org/simple/linkchecker/
2Could not fetch URL https://pypi.python.org/simple/linkchecker/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
3Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkchecker
4Getting page https://pypi.python.org/simple/
5Could not fetch URL https://pypi.python.org/simple/: connection error: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/ (Caused by <class 'http.client.CannotSendRequest'>: Request-sent)
6Will skip URL https://pypi.python.org/simple/ when looking for download links for linkchecker
7Cannot fetch index base URL https://pypi.python.org/simple/

Table of Content

  1. Root Cause of the problem
  2. Fix by adding --trusted-host param into installation command
  3. Fix by adding the host to pip.conf file
  4. Fix by importing the CRT from DigiCert

1. Root Cause of the problem

One of the most probable causes of this issue is your sitting behind the company's/corporate firewall and your company's firewall does not trust Python certificates.

Here are the list of hosts. In order to install the python all the certificates issued by the following hosts should be trusted -

  1. pypi.python.org
  2. pypi.org
  3. files.pythonhosted.org


There are multiple ways to fix this issue -

2 Add --trusted-host param into installation command

This could be one of the easiest ways to install Python by adding --trusted-host params into your installation command.

You need to add at least two parameters under your installation command -

Param 1 : --trusted-host pypi.org

Param 2 : --trusted-host files.pythonhosted.org

Here is the final installation command -

1pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools

Or if you are installing python3-pip then use the following command

1pip3 install --trusted-host pypi.org --trusted-host files.pythonhosted.org <app>

or

1python3 -m pip install --upgrade Scrapy --trusted-host pypi.org --trusted-host files.pythonhosted.org 


3. Fix the error by adding host to pip.conf file

Python allows you to set default command-line options with the help of pip.conf file.

Locate your pip.conf file based on your operating system -

1. MacOS - $HOME/Library/Application Support/pip/pip.conf

2. Unix - $HOME/.config/pip/pip.conf

3. Windows - %APPDATA%\pip\pip.ini

Open the pip.conf file and add trusted-host under the global param -

1[global]
2trusted-host = pypi.python.org
3               pypi.org
4               files.pythonhosted.org

Restart your python and then the pip installer will trust these hosts permanently.



4. Fix by importing the CRT from DigiCert

This approach is a little tricky but one of the most recommended and secure ways to trust the host.

One more thing you should have OpenSSL installed onto your system.

Run the following command to see the certificate chain -

1openssl s_client -connect pypi.python.org:443

It should show the following output

 1CONNECTED(00000003)
 2depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 3verify error:num=20:unable to get local issuer certificate
 4verify return:0
 5---
 6Certificate chain
 7 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro,/O=Python Software Foundation/CN=www.python.org
 8   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 9 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
10   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

If you look carefully at the output then we have CN=DigiCert High Assurance EV Root CA.

So we need to download the CA for that.

  1. You can download the CRT file from DigiCert
  2. Now you need to convert the CRT to PEM format. Use the following command to achieve that -
1openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -out my-cert.pem 
  1. Once you run the above command you will get your own my-cert.pem file.

  2. Export the my-cert.pem and add it the python environment variables PIP_CERT

1export PIP_CERT= my-cert.pem

Now you have the correct trusted certificate for your python installation.