pip is configured with locations that require TLS/SSL, however the ssl module inPythonisnot available.Collecting<package>Couldnot fetch URL https://pypi.python.org/simple/<package>/:There was a problem confirming the ssl certificate:Can't connect to HTTPS URL because the SSL module is not available. - skipping
Could not find a version that satisfies the requirement <package> (from versions: )
No matching distribution found for <package>
I’ve install Python 3.4 and Python 3.6 on my local machine successfully, but am unable to install packages with pip3.
When I execute pip3 install <package>, I get the following SSL related error:
pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Collecting <package>
Could not fetch URL https://pypi.python.org/simple/<package>/: There was a problem confirming the ssl certificate: Can't connect to HTTPS URL because the SSL module is not available. - skipping
Could not find a version that satisfies the requirement <package> (from versions: )
No matching distribution found for <package>
How can I fix my Python3.x install so that I can install packages with pip install <package>?
Disclaimer: The above commands are not tested in Ubuntu 20.04 LTS.
回答 1
如果您使用的是Red Hat / CentOS:
# To allow for building python ssl libs
yum install openssl-devel
# Download the source of *any* python version
cd /usr/src
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tar.xz
tar xf Python-3.6.2.tar.xz
cd Python-3.6.2# Configure the build w/ your installed libraries./configure
# Install into /usr/local/bin/python3.6, don't overwrite global python bin
make altinstall
# To allow for building python ssl libs
yum install openssl-devel
# Download the source of *any* python version
cd /usr/src
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tar.xz
tar xf Python-3.6.2.tar.xz
cd Python-3.6.2
# Configure the build w/ your installed libraries
./configure
# Install into /usr/local/bin/python3.6, don't overwrite global python bin
make altinstall
If you are on Windows and use anaconda this worked for me:
I tried a lot of other solutions which did not work (Environment PATH Variable changes …)
The problem can be caused by DLLs in the Windows\System32 folder (e.g. libcrypto-1_1-x64.dll or libssl-1_1-x64.dll or others) placed there by other software.
I had a similar problem on OSX 10.11 due to installing memcached which installed python 3.7 on top of 3.6.
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Spent hours on unlinking openssl, reinstalling, changing paths.. and nothing helped. Changing openssl version back from to older version did the trick:
brew switch openssl 1.0.2e
I did not see this suggestion anywhere in internet. Hope it serves someone.
If you are on OSX and have compiled python from source:
Install openssl using brew brew install openssl
Make sure to follow the instructions brew gives you about setting your CPPFLAGS and LDFLAGS. In my case I am using the openssl@1.1 brew formula and I need these 3 settings for the python build process to correctly link to my SSL library:
Assuming the library is installed at that location.
回答 9
我在Windows 10上遇到了同样的问题。我的非常具体的问题是由于安装了Anaconda。我安装了Anaconda并在路径下Path/to/Anaconda3/出现了python.exe。因此,我完全没有安装python,因为Anaconda包含python。使用pip安装软件包时,我发现了相同的错误报告pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.。
I encountered the same problem on windows 10. My very specific issue is due to my installation of Anaconda. I installed Anaconda and under the path Path/to/Anaconda3/, there comes the python.exe. Thus, I didn’t install python at all because Anaconda includes python. When using pip to install packages, I found the same error report, pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available..
The solution was the following:
1) you can download python again on the official website;
2) Navigate to the directory where "Python 3.7 (64-bit).lnk"is located
3) import ssl and exit()
4) type in cmd, "Python 3.7 (64-bit).lnk" -m pip install tensorflow for instance.
If you are on Windows and use Anaconda you can try running “pip install …” command in Anaconda Prompt instead of cmd.exe, as user willliu1995 suggests here. This was the fastest solution for me, that does not require installation of additional components.
my issue appeared related to my python installation and was quickly resolved by re-installing python3 and pip. i think it started misbehaving after an OS update but who knows (at this time I am on Mac OS 10.14.6)
While installing Anaconda, select the option to add Anaconda to the path.
or
Find these (complete) paths from your installation folder of Anaconda and add them to the environment variable :
\Anaconda
\Anaconda\Library\mingw-w64\bin
\Anaconda\Library\usr\bin
\Anaconda\Library\bin
\Anaconda\Scripts
\anaconda\Library
\anaconda\condabin
Add the above paths to the “Path” system variable and it should show the error no more :)
回答 14
我遇到了同样的问题,可以通过以下步骤解决:
sudo yum install -y libffi-devel
sudo yum install openssl-devel
cd /usr/src
sudo wget https://www.python.org/ftp/python/3.7.1/Python-3.7.1.tar.xz
sudo tar xf Python-3.7.1.tar.xz
cd Python-3.7.1
sudo ./configure --enable-optimizations
# Install into /usr/local/bin/python3.7, don't overwrite global python bin
sudo make altinstall
I was having the same issue and was able to resolve with the following steps:
sudo yum install -y libffi-devel
sudo yum install openssl-devel
cd /usr/src
sudo wget https://www.python.org/ftp/python/3.7.1/Python-3.7.1.tar.xz
sudo tar xf Python-3.7.1.tar.xz
cd Python-3.7.1
sudo ./configure --enable-optimizations
# Install into /usr/local/bin/python3.7, don't overwrite global python bin
sudo make altinstall
The ssl module is a TLS/SSL wrapper for accessing Operation Sytem (OS) socket (Lib/ssl.py). So when ssl module is not available, chances are that you either don’t have OS OpenSSL libraries installed, or those libraries were not found when you install Python. Let assume it is a later case (aka: you already have OpenSSL installed, but they are not correctly linked when installing Python).
I will also assume you are installing from source. If you are installing from binary (ie: Window .exe file), or package (Mac .dmg, or Ubuntu apt), there is not much you can do with the installing process.
During the step of configuring your python installation, you need to specify where the OS OpenSSL will be used for linking:
Your system may be different than mine, but as you see here I have many different installed openssl libraries. As the time of this writing, python 3.8 expects openssl 1.0.2 or 1.1:
Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host().
So you would need to verify which of those installed libraries that you can use for linking, for example
/usr/bin/openssl version
OpenSSL 1.0.2g 1 Mar 2016
./configure --with-openssl="/usr"
make && make install
You may need to try a few, or install a new, to find the library that would work for your Python and your OS.
I finally solve this issue. These are the detail of my env:
Version of Python to install: 3.6.8
OS: Ubuntu 16.04.6 LTS
Root access: No
Some people suggest to install libssl-dev, but it did not work for me. I follow this link and I fixed it!
In short, I download, extract, build, and install OpenSSL (openssl-1.1.1b.tar.gz). Then, I modify .bashrc file follow this link.
Next, I download and extract Python-3.6.8.tgz. I edit Modules/Setup.dist to modify SSL path (lines around #211). I did ./configure --prefix=$HOME/opt/python-3.6.8, make and make install. Last, I modify my .bashrc. Notice that I do not include --enable-optimizations in ./configure.
The huge assumption I made is that the yum version of ssl is the same as the conda version, so just renaming the shared object might work, and it did.
My other solution was to re-compile python, re-install anaconda, etc, but in the end I’m glad I didn’t need to.
Hope this helps you guys out.
回答 21
在pyenv用于管理Mac OS Catalina上的python安装的情况下,我必须先openssl使用brew 安装,然后再运行pyenv install 3.7.8,这似乎是使用opensslfrom homebrew 来构建python安装的(甚至在安装输出中也是如此)。然后pyenv global 3.7.8,我不在了。
In the case of using pyenv to manage python installations on Mac OS Catalina, I had to install openssl with brew first and then after that run pyenv install 3.7.8 which seemed to build the python installation using the openssl from homebrew (it even said as such in the installation output). Then pyenv global 3.7.8 and I was away.
I was able to fix this by updating the python version in this file.
pyenv: version `3.6.5′ is not installed (set by /Users/taruntarun/.python-version)
Though i had the latest version installed, my command was still using old version 3.6.5
I was having the same problem for the last two days and only have fixed it right now.
I had tried to use --trust-host option with the DigiCert_High_Assurance_EV_Root_CA.pem did not work, I couldn’t install the ssl module (It tells it cannot be installed for python versions greater than 2.6), setting the $PIP_CERT variable didn’t fix it either and I had libssl1.0.2 and libssl1.0.0 installed. Also worth mentioning I didn’t had a ~/.pip/pip.conf file, and creating it didn’t solve the bug either.
What finally solved it, was installing python3.6 with make again.
Download the Python-3.6.0.tgz from the website, run configure then make, make test and make install. Hope it works for you.
The python documentation is actually very clear, and following the instructions did the job whereas other answers I found here were not fixing this issue.
make sure you have openssl installed by running brew install openssl
unzip it and move to the python directory: tar xvzf Python-3.6.2.tar.xz && cd Python-3.6.2
then if the python version is < 3.7, run
CPPFLAGS="-I$(brew --prefix openssl)/include" \
LDFLAGS="-L$(brew --prefix openssl)/lib" \
./configure --with-pydebug
5. finallly, run make -s -j2 (-s is the silent flag, -j2 tells your machine to use 2 jobs)
I had the same issue trying to install python3.7 on an ubuntu14.04 machine.
The issue was that I had some custom folders in my PKG_CONFIG_PATH and in my LD_LIBRARY_PATH, which prevented the python build process to find the system openssl libraries.
Ok the latest answer to this, as of now don’t use Python 3.8, use only 3.7 or less , because of most of the libraries fail to install with the above error
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79:InsecurePlatformWarning: A true SSLContext object isnot
available.This prevents urllib3 from configuring SSL appropriately and
may cause certain SSL connections to fail.For more information, see
https://urllib3.readthedocs.org/en/latest
/security.html#insecureplatformwarning.
Im using Python 2.7.3 and Requests. I installed Requests via pip. I believe it’s the latest version. I’m running on Debian Wheezy.
I’ve used Requests lots of times in the past and never faced this issue, but it seems that when making https requests with Requests I get an InsecurePlatform exception.
The error mentions urllib3, but I don’t have that installed. I did install it to check if it resolved the error, but it didn’t.
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3
/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not
available. This prevents urllib3 from configuring SSL appropriately and
may cause certain SSL connections to fail. For more information, see
https://urllib3.readthedocs.org/en/latest
/security.html#insecureplatformwarning.
Any ideas as to why I’m getting this? I’ve checked the docs, as specified in the error message, but the docs are saying to import urllib3 and either disable the warning, or provide a certificate.
pip install requests[security]
or
pip install pyOpenSSL ndg-httpsclient pyasn1
Both commands install following extra packages:
pyOpenSSL
cryptography
idna
Please note that this is not required for python-2.7.9+.
If pip install fails with errors, check whether you have required development packages for libffi, libssl and python installed in your system using distribution’s package manager:
If your pip itself is affected by InsecurePlatformWarning and cannot install anything from PyPI, it can be fixed with this step-by-step guide to deploy extra python packages manually.
Requests 2.6 introduced this warning for users of python prior to 2.7.9 with only stock SSL modules available.
Assuming you can’t upgrade to a newer version of python, this will install more up-to-date python SSL libraries:
pip install --upgrade ndg-httpsclient
HOWEVER, this may fail on some systems without the build-dependencies for pyOpenSSL. On debian systems, running this before the pip command above should be enough for pyOpenSSL to build:
classSession(SessionRedirectMixin):......def request(self, method, url,
params=None,
data=None,
headers=None,
cookies=None,
files=None,
auth=None,
timeout=None,
allow_redirects=True,
proxies=None,
hooks=None,
stream=None,
verify=None,# <========
cert=None):"""
...
:param verify: (optional) if True, the SSL cert will be verified.
A CA_BUNDLE path can also be provided.
...
"""
class Session(SessionRedirectMixin):
......
def request(self, method, url,
params=None,
data=None,
headers=None,
cookies=None,
files=None,
auth=None,
timeout=None,
allow_redirects=True,
proxies=None,
hooks=None,
stream=None,
verify=None, # <========
cert=None):
"""
...
:param verify: (optional) if True, the SSL cert will be verified.
A CA_BUNDLE path can also be provided.
...
"""
This tells pip that it’s OK to grab the module from pypi.python.org.
For me, the issue is my company’s proxy behind it’s firewall that makes it look like a malicious client to some servers. Hooray security.
Update: See @Alex ‘s
answer for changes in the PyPi domains, and additional --trusted-host options that can be added. (I’d copy/paste here, but his answer, so +1 him)
回答 6
这个答案无关紧要,但是如果您想摆脱警告并从请求中获得以下警告:
InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
This answer is unrelated, but if you wanted to get rid of warning and get following warning from requests:
InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
You can disable it by adding the following line to your python code:
This came up for me on Ubuntu 14.04 (with Python 2.7.6) last week after i did a apt-get dist-upgrade that included libssl1.1:amd64 from deb.sury.org.
Since I run certbot-auto renew from a cron job, I also use the --no-self-upgrade to cut down on unscheduled maintenance. This seems to have been the source of the trouble.
To fix the error, all I needed to do was become root (with su‘s --login switch) and let certbot-auto upgrade itself. I.e:
sudo su --login
/usr/local/bin/certbot-auto renew
# ... Upgrading certbot-auto 0.8.1 to 0.18.2... blah blah blah ...
instead of what normally runs from root’s crontab:
I just had a similar issue on a CentOS 5 server where I installed python 2.7.12 in /usr/local on top of a much older version of python2.7. Upgrading to CentOS 6 or 7 isn’t an option on this server right now.
Some of the python 2.7 modules were still existing from the older version of python, but pip was failing to upgrade because the newer cryptography package is not supported by the CentOS 5 packages.
Specifically, ‘pip install requests[security]’ was failing because the openssl version on the CentOS 5 was 0.9.8e which is no longer supported by cryptography > 1.4.0.
To solve the OPs original issue I did:
1) pip install 'cryptography<1.3.5,>1.3.0'.
This installed cryptography 1.3.4 which works with openssl-0.9.8e. cryptograpy 1.3.4 is also sufficient to satisfy the requirement for the following command.
2) pip install 'requests[security]'
This command now installs because it doesn’t try to install cryptography > 1.4.0.
I had same problem with
Mac
Pycharm community edition 2019.3
Python interpreter 3.6.
Upgrading pip with 20.0.2 worked for me. Pycharm --> Preferences --> Project Interpreter --> click on pip --> specify version 20.0.2 --> Install package
Traceback(most recent call last):File"./test.py", line 24,in<module>
response = requests.get(url1, headers=headers)File"build/bdist.linux-x86_64/egg/requests/api.py", line 52,in getFile"build/bdist.linux-x86_64/egg/requests/api.py", line 40,in requestFile"build/bdist.linux-x86_64/egg/requests/sessions.py", line 209,in request File"build/bdist.linux-x86_64/egg/requests/models.py", line 624,in sendFile"build/bdist.linux-x86_64/egg/requests/models.py", line 300,in _build_responseFile"build/bdist.linux-x86_64/egg/requests/models.py", line 611,in send
requests.exceptions.SSLError:[Errno1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I’m working on a simple script that involves CAS, jspring security check, redirection, etc. I would like to use Kenneth Reitz’s python requests because it’s a great piece of work! However, CAS requires getting validated via SSL so I have to get past that step first. I don’t know what Python requests is wanting? Where is this SSL certificate supposed to reside?
Traceback (most recent call last):
File "./test.py", line 24, in <module>
response = requests.get(url1, headers=headers)
File "build/bdist.linux-x86_64/egg/requests/api.py", line 52, in get
File "build/bdist.linux-x86_64/egg/requests/api.py", line 40, in request
File "build/bdist.linux-x86_64/egg/requests/sessions.py", line 209, in request
File "build/bdist.linux-x86_64/egg/requests/models.py", line 624, in send
File "build/bdist.linux-x86_64/egg/requests/models.py", line 300, in _build_response
File "build/bdist.linux-x86_64/egg/requests/models.py", line 611, in send
requests.exceptions.SSLError: [Errno 1] _ssl.c:503: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The problem you are having is caused by an untrusted SSL certificate.
Like @dirk mentioned in a previous comment, the quickest fix is setting verify=False:
requests.get('https://example.com', verify=False)
Please note that this will cause the certificate not to be verified. This will expose your application to security risks, such as man-in-the-middle attacks.
Of course, apply judgment. As mentioned in the comments, this may be acceptable for quick/throwaway applications/scripts, but really should not go to production software.
If just skipping the certificate check is not acceptable in your particular context, consider the following options, your best option is to set the verify parameter to a string that is the path of the .pem file of the certificate (which you should obtain by some sort of secure means).
So, as of version 2.0, the verify parameter accepts the following values, with their respective semantics:
True: causes the certificate to validated against the library’s own trusted certificate authorities (Note: you can see which Root Certificates Requests uses via the Certifi library, a trust database of RCs extracted from Requests: Certifi – Trust Database for Humans).
Tested on Python 2.7.5 @ MacOSX 10.9.5 (Mavericks)
When this question was opened (2012-05) the Requests version was 0.13.1. On version 2.4.1 (2014-09) the “security” extras were introduced, using certifi package if available.
Right now (2016-09) the main version is 2.11.1, that works good withoutverify=False. No need to use requests.get(url, verify=False), if installed with requests[security] extras.
from boto3.session importSessionimport os
# debian
os.environ['REQUESTS_CA_BUNDLE']= os.path.join('/etc/ssl/certs/','ca-certificates.crt')# centos# 'ca-bundle.crt')
I encountered the same issue and ssl certificate verify failed issue when using aws boto3, by review boto3 code, I found the REQUESTS_CA_BUNDLE is not set, so I fixed the both issue by setting it manually:
from boto3.session import Session
import os
# debian
os.environ['REQUESTS_CA_BUNDLE'] = os.path.join(
'/etc/ssl/certs/',
'ca-certificates.crt')
# centos
# 'ca-bundle.crt')
For aws-cli, I guess setting REQUESTS_CA_BUNDLE in ~/.bashrc will fix this issue (not tested because my aws-cli works without it).
In case you have a library that relies on requests and you cannot modify the verify path (like with pyvmomi) then you’ll have to find the cacert.pem bundled with requests and append your CA there. Here’s a generic approach to find the cacert.pem location:
btw. @requests-devs, bundling your own cacerts with request is really, really annoying… especially the fact that you do not seem to use the system ca store first and this is not documented anywhere.
update
in situations, where you’re using a library and have no control over the ca-bundle location you could also explicitly set the ca-bundle location to be your host-wide ca-bundle:
I have found an specific approach for solving a similar issue. The idea is pointing the cacert file stored at the system and used by another ssl based applications.
In Debian (I’m not sure if same in other distributions) the certificate files (.pem) are stored at /etc/ssl/certs/ So, this is the code that work for me:
For guessing what pem file choose, I have browse to the url and check which Certificate Authority (CA) has generated the certificate.
EDIT: if you cannot edit the code (because you are running a third app) you can try to add the pem certificate directly into /usr/local/lib/python2.7/dist-packages/requests/cacert.pem (e.g. copying it to the end of the file).
I ran into the same issue. Turns out I hadn’t installed the intermediate certificate on my server (just append it to the bottom of your certificate as seen below).
If the request calls are buried somewhere deep in the code and you do not want to install the server certificate, then, just for debug purposes only, it’s possible to monkeypatch requests:
Too late to the party I guess but I wanted to paste the fix for fellow wanderers like myself! So the following worked out for me on Python 3.7.x
Type the following in your terminal
pip install --upgrade certifi # hold your breath..
Try running your script/requests again and see if it works (I’m sure it won’t be fixed yet!). If it didn’t work then try running the following command in the terminal directly
open /Applications/Python\ 3.6/Install\ Certificates.command # please replace 3.6 here with your suitable python version
I tried to update requests. Then I updated certifi. I pointed verify to certifi.where() (The code does this by default anyways). Nothing worked.
Finally I updated my version of python to python 2.7.11. I was on Python 2.7.5 which had some incompatibilities with the way that the certificates are verified. Once I updated Python (and a handful of other dependencies) it started working.
try:# As long as the certificates in the certs directory are in the OS's certificate store, `verify=True` is fine.return requests.get(url, auth=auth, verify=True)except requests.exceptions.SSLError:
subprocess.run(f"openssl rehash -compat -v my_certs_dir", shell=True, check=True)return requests.get(url, auth=auth, verify="my_certs_dir")
This is similar to @rafael-almeida ‘s answer, but I want to point out that as of requests 2.11+, there are not 3 values that verify can take, there are actually 4:
True: validates against requests’s internal trusted CAs.
Path to a CA_BUNDLE file. requests will use this to validate the server’s certificates.
Path to a directory containing public certificate files. requests will use this to validate the server’s certificates.
The rest of my answer is about #4, how to use a directory containing certificates to validate:
Obtain the public certificates needed and place them in a directory.
Strictly speaking, you probably “should” use an out-of-band method of obtaining the certificates, but you could also just download them using any browser.
If the server uses a certificate chain, be sure to obtain every single certificate in the chain.
According to the requests documentation, the directory containing the certificates must first be processed with the “rehash” utility (openssl rehash).
(This requires openssl 1.1.1+, and not all Windows openssl implementations support rehash. If openssl rehash won’t work for you, you could try running the rehash ruby script at https://github.com/ruby/openssl/blob/master/sample/c_rehash.rb , though I haven’t tried this. )
I had some trouble with getting requests to recognize my certificates, but after I used the openssl x509 -outform PEM command to convert the certs to Base64 .pem format, everything worked perfectly.
You can also just do lazy rehashing:
try:
# As long as the certificates in the certs directory are in the OS's certificate store, `verify=True` is fine.
return requests.get(url, auth=auth, verify=True)
except requests.exceptions.SSLError:
subprocess.run(f"openssl rehash -compat -v my_certs_dir", shell=True, check=True)
return requests.get(url, auth=auth, verify="my_certs_dir")
Workaround for this issue is adding the following line: requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
As mentioned by @Rafael Almeida, the problem you are having is caused by an untrusted SSL certificate. In my case, the SSL certificate was untrusted by my server. To get around this without compromising security, I downloaded the certificate, and installed it on the server (by simply double clicking on the .crt file and then Install Certificate…).
回答 18
如果正在从另一个包中调用请求,则添加选项是不可行的。在那种情况下,将证书添加到cacert捆绑包是直接的方法,例如,我必须添加“ StartCom Class 1 Primary Intermediate Server CA”,为此,我将根证书下载到StartComClass1.pem中。鉴于我的virtualenv名为caldav,我添加了以下证书:
It is not feasible to add options if requests is being called from another package. In that case adding certificates to the cacert bundle is the straight path, e.g. I had to add “StartCom Class 1 Primary Intermediate Server CA”, for which I downloaded the root cert into StartComClass1.pem. given my virtualenv is named caldav, I added the certificate with:
I was having a similar or the same certification validation problem. I read that OpenSSL versions less than 1.0.2, which requests depends upon sometimes have trouble validating strong certificates (see here). CentOS 7 seems to use 1.0.1e which seems to have the problem.
I wasn’t sure how to get around this problem on CentOS, so I decided to allow weaker 1024bit CA certificates.
import certifi # This should be already installed as a dependency of 'requests'
requests.get("https://example.com", verify=certifi.old_where())
I had known that the SSL verification had worked until a few days earlier, and was infact working on a different machine.
My next step was to compare the certificate contents and size between the machine on which verification was working, and the one on which it was not.
This quickly led to me determining that the Certificate on the ‘incorrectly’ working machine was not good, and once I replaced it with the ‘good’ cert, everything was fine.
Downloading/unpacking linkcheckerGetting page https://pypi.python.org/simple/linkchecker/Couldnot fetch URL https://pypi.python.org/simple/linkchecker/: connection error:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkcheckerGetting page https://pypi.python.org/simple/Couldnot fetch URL https://pypi.python.org/simple/: connection error:HTTPSConnectionPool(host='pypi.python.org', port=443):Max retries exceeded with url:/simple/(Caused by <class'http.client.CannotSendRequest'>:Request-sent)Will skip URL https://pypi.python.org/simple/ when looking for download links for linkcheckerCannot fetch index base URL https://pypi.python.org/simple/URLs to search for versions for linkchecker:* https://pypi.python.org/simple/linkchecker/Getting page https://pypi.python.org/simple/linkchecker/Couldnot fetch URL https://pypi.python.org/simple/linkchecker/: connection error:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkcheckerCouldnot find any downloads that satisfy the requirement linkcheckerCleaning up...Removing temporary dir C:\Users\jcook\AppData\Local\Temp\pip_build_jcook...No distributions at all found for linkcheckerException information:Traceback(most recent call last):File"C:\Python34\lib\site-packages\pip\basecommand.py", line 122,in main
status = self.run(options, args)File"C:\Python34\lib\site-packages\pip\commands\install.py", line 278,in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)File"C:\Python34\lib\site-packages\pip\req.py", line 1177,in prepare_files
url = finder.find_requirement(req_to_install, upgrade=self.upgrade)File"C:\Python34\lib\site-packages\pip\index.py", line 277,in find_requirementraiseDistributionNotFound('No distributions at all found for %s'% req)
pip.exceptions.DistributionNotFound:No distributions at all found for linkchecker
I am very new to Python and trying to > pip install linkchecker on Windows 7. Some notes:
pip install is failing no matter the package. For example, > pip install scrapy also results in the SSL error.
Vanilla install of Python 3.4.1 included pip 1.5.6. The first thing I tried to do was install linkchecker. Python 2.7 was already installed, it came with ArcGIS. python and pip were not available from the command line until I installed 3.4.1.
> pip search linkchecker works. Perhaps that is because pip search does not verify the site’s SSL certificate.
I am in a company network but we do not go through a proxy to reach the Internet.
Each company computer (including mine) has a Trusted Root Certificate Authority that is used for various reasons including enabling monitoring TLS traffic to https://google.com. Not sure if that has anything to do with it.
Here are the contents of my pip.log after running pip install linkchecker:
Downloading/unpacking linkchecker
Getting page https://pypi.python.org/simple/linkchecker/
Could not fetch URL https://pypi.python.org/simple/linkchecker/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkchecker
Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: connection error: HTTPSConnectionPool(host='pypi.python.org', port=443): Max retries exceeded with url: /simple/ (Caused by <class 'http.client.CannotSendRequest'>: Request-sent)
Will skip URL https://pypi.python.org/simple/ when looking for download links for linkchecker
Cannot fetch index base URL https://pypi.python.org/simple/
URLs to search for versions for linkchecker:
* https://pypi.python.org/simple/linkchecker/
Getting page https://pypi.python.org/simple/linkchecker/
Could not fetch URL https://pypi.python.org/simple/linkchecker/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
Will skip URL https://pypi.python.org/simple/linkchecker/ when looking for download links for linkchecker
Could not find any downloads that satisfy the requirement linkchecker
Cleaning up...
Removing temporary dir C:\Users\jcook\AppData\Local\Temp\pip_build_jcook...
No distributions at all found for linkchecker
Exception information:
Traceback (most recent call last):
File "C:\Python34\lib\site-packages\pip\basecommand.py", line 122, in main
status = self.run(options, args)
File "C:\Python34\lib\site-packages\pip\commands\install.py", line 278, in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
File "C:\Python34\lib\site-packages\pip\req.py", line 1177, in prepare_files
url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
File "C:\Python34\lib\site-packages\pip\index.py", line 277, in find_requirement
raise DistributionNotFound('No distributions at all found for %s' % req)
pip.exceptions.DistributionNotFound: No distributions at all found for linkchecker
Note: Sometime during April 2018, the Python Package Index was migrated from pypi.python.org to pypi.org. This means “trusted-host” commands using the old domain no longer work.
Permanent Fix
Since the release of pip 10.0, you should be able to fix this permanently just by upgrading pip itself:
Two of the workarounds that help in installing most of the python packages with ease would be:
Using easy_install: if you are really lazy and don’t want to waste much time, use easy_install <package_name>. Note that some packages won’t be found or will give small errors.
Using Wheel: download the Wheel of the python package and use the pip command pip install wheel_package_name.whl to install the package.
You must use a PEM file and not a CRT file. If you have a CRT file you will need to convert the file to PEM There are reports in the comments that this now works with a CRT file but I have not verified.
The answers are quite similar and a bit confusing. In my case, the certificates in my company’s network was the issue. I was able to work around the problem using:
To solve this problem once and for all, you can verify that you have a pip.conf file.
This is where your pip.conf should be, according to the documentation:
On Unix the default configuration file is: $HOME/.config/pip/pip.conf which respects the XDG_CONFIG_HOME environment variable.
On macOS the configuration file is $HOME/Library/Application Support/pip/pip.conf if directory $HOME/Library/Application Support/pip exists else $HOME/.config/pip/pip.conf
On Windows the configuration file is %APPDATA%\pip\pip.ini.
Inside a virtualenv:
On Unix and macOS the file is $VIRTUAL_ENV/pip.conf
On Windows the file is: %VIRTUAL_ENV%\pip.ini
Your pip.conf should look like:
[global]
trusted-host = pypi.python.org
pip install linkchecker installed linkchecker without complains after I created the pip.conf file.
$ openssl s_client -connect pypi.python.org:443
CONNECTED(00000003)
depth=1/C=US/O=DigiCertInc/OU=www.digicert.com/CN=DigiCert SHA2 ExtendedValidationServer CA
verify error:num=20:unable to get local issuer certificate
verify return:0---Certificate chain
0 s:/businessCategory=PrivateOrganization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16AllenRd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro,/O=PythonSoftwareFoundation/CN=www.python.org
i:/C=US/O=DigiCertInc/OU=www.digicert.com/CN=DigiCert SHA2 ExtendedValidationServer CA
1 s:/C=US/O=DigiCertInc/OU=www.digicert.com/CN=DigiCert SHA2 ExtendedValidationServer CA
i:/C=US/O=DigiCertInc/OU=www.digicert.com/CN=DigiCertHighAssurance EV Root CA
You can visit https://pypi.python.org/ to verify the cert issuer by clicking on the lock icon in the address bar, or increase your geek cred by using openssl:
$ openssl s_client -connect pypi.python.org:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro,/O=Python Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
The last CN value in the certificate chain is the name of the CA that you need to download.
For me, it came out that my date and time was misconfigured on Raspberry Pi. The result was that all SSL and HTTPS connections failed, using the https://files.pythonhosted.org/ server.
I recently ran into this problem because of my company’s web content filter that uses its own Certificate Authority so that it can filter SSL traffic. PIP doesn’t seem to be using the system’s CA certificates in my case, producing the error you mention. Downgrading PIP to version 1.2.1 presented its own set of problems later on, so I went back to the original version that came with Python 3.4.
My workaround is quite simple: use easy_install. Either it doesn’t check the certs (like the old PIP version), or it knows to use the system certs because it works every time for me and I can still use PIP to uninstall packages installed with easy_install.
You can try to bypass the SSL error by using http instead of https. Of course this is not optimal in terms of security, but if you are in a hurry it should do the trick:
did not work for me. I kept getting the CERTIFICATE_VERIFY_FAILED error. However, I noticed in the error messages that they referenced the ‘pypi.org’ site. So, I used this as the trusted host name instead of pypi.python.org. That almost got me there; the load was still failing with CERTIFICATE_VERIFY_FAILED, but at a later point. Finding the reference to the website that was failing, I included it as a trusted host. What eventually worked for me was:
Had the same problem trying pip install ftputil with ActivePython 2.7.8, ActivePython 3.4.1, and “stock” Python 3.4.2 on 64-bit Windows 7 Enterprise. All attempts failed with the same errors as OP.
Worked around the problem for Python 3.4.2 by downgrading to pip 1.2.1: easy_install pip==1.2.1 (see https://stackoverflow.com/a/16370731/234235). Same fix also worked for ActivePython 2.7.8.
Nothing on this page worked for me until I used the –verbose option to see that it wanted to get to files.pythonhosted.org rather than pypi.python.org:
One solution (for Windows) is to create a file called pip.ini on the %AppData%\pip\ folder (create the folder if it doesn’t exist) and insert the following details:
In my case it was due to SSL certificate being signed by internal CA of my company. Using workarounds like pip --cert did not help, but the following package did:
Recently I faced the same issue in python 3.6 with visual studio 2015. After spending 2 days, I got the solution and its working fine for me.
I got below error while try to install numpy using pip or from visual studio
Collecting numpy
Could not fetch URL https://pypi.python.org/simple/numpy/: There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748) – skipping
Could not find a version that satisfies the requirement numpy (from versions: )
No matching distribution found for numpy
Resolution :
For Windows OS
open -> “%appdata%” Create “pip” folder if not exists.
In pip folder create “pip.ini” file.
Edit file and write
[global]
trusted-host = pypi.python.org
Save and Close the file. Now install
using pip/visual studio it works fine.