Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Included cacert.pm doesn't contain current pypi.python.org CA certificate

See original GitHub issue

It appears that the cacert.pem bundled in pip 1.5.6 (through requests) doesn’t contain current pypi.python.org CA certificate:

tul@karju:~/piptest> py/bin/pip --version
pip 1.5.6 from /u/tul/piptest/py/lib/python2.6/site-packages (python 2.6)
tul@karju:~/piptest> py/bin/pip install pg8000
Downloading/unpacking pg8000
  Cannot fetch index base URL https://pypi.python.org/simple/
  Could not find any downloads that satisfy the requirement pg8000
Cleaning up...
No distributions at all found for pg8000
Storing debug log for failure in /u/tul/.pip/pip.log
tul@karju:~/piptest> py/bin/pip -v install pg8000
Downloading/unpacking pg8000
  Could not fetch URL https://pypi.python.org/simple/pg8000/: connection error: [Errno 1] _ssl.c:491: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Will skip URL https://pypi.python.org/simple/pg8000/ when looking for download links for pg8000
  Could not fetch URL https://pypi.python.org/simple/: connection error: [Errno 1] _ssl.c:491: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Will skip URL https://pypi.python.org/simple/ when looking for download links for pg8000
  Cannot fetch index base URL https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/pg8000/: connection error: [Errno 1] _ssl.c:491: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Will skip URL https://pypi.python.org/simple/pg8000/ when looking for download links for pg8000
  Could not find any downloads that satisfy the requirement pg8000
Cleaning up...
  Removing temporary dir /u/tul/piptest/py/build...
No distributions at all found for pg8000
Exception information:
Traceback (most recent call last):
  File "/u/tul/piptest/py/lib/python2.6/site-packages/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/u/tul/piptest/py/lib/python2.6/site-packages/pip/commands/install.py", line 278, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/u/tul/piptest/py/lib/python2.6/site-packages/pip/req.py", line 1177, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/u/tul/piptest/py/lib/python2.6/site-packages/pip/index.py", line 277, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for pg8000

Storing debug log for failure in /u/tul/.pip/pip.log

Curl by default uses system certificates, and with curl, pypi works:

tul@karju:~/piptest> curl -v 'https://pypi.python.org/simple/pg8000/' > /dev/null
<clip>
* SSL connection using RC4-SHA
* Server certificate:
*    subject: 2.5.4.15=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=3359300; streetAddress=16 Allen Rd; postalCode=03894-4801; C=US; ST=NH; L=Wolfeboro,; O=Python Software Foundation; CN=www.python.org
*    start date: 2014-09-05 00:00:00 GMT
*    expire date: 2016-09-09 12:00:00 GMT
*    subjectAltName: pypi.python.org matched
*    issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*    SSL certificate verify ok.
> GET /simple/pg8000/ HTTP/1.1

Curl with pip CA certificates fails:

tul@karju:~/piptest> curl -v --capath /tmp --cacert /u/tul/piptest/py/lib/python2.6/site-packages/pip/_vendor/requests/cacert.pem 'https://pypi.python.org/simple/pg8000/' > /dev/null
<clip>
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS alert, Server hello (2):
} [data not shown]
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

Issue Analytics

State:
Created 9 years ago
Comments:13 (2 by maintainers)

Top GitHub Comments

2reactions

miguelgr83commented, Aug 8, 2016

My problem was slightly different. It looks like the https://pypi.python.org/simple/ certificate was renewed in June 2016, so if the date of your OS is prior to that date, you’ll have problems validating the certificate, no matter if the proper CA certs are installed.

0reactions

cagdasciritcommented, Sep 17, 2015

@bitliner try to install ca-certificates package first and try again. apt-get update &&
apt-get install ca-certificates

Top Results From Across the Web

pip install fails with "connection error: [SSL - Stack Overflow

I am in a company network but we do not go through a proxy to reach the Internet. Each company computer (including mine)...

certifi · PyPI

Certifi provides Mozilla's carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the ...

Issue 36344: install_certificates.command too complicated

Pip uses the certificates primarily to access PyPI, not to provide a general set of root certificates. The current python.org solution of ...

Can I get around using "pip install --cert"? - Super User

This does not use the system certificate store but instead uses a bundled CA certificate store. The default bundled CA certificate store certificate...

Install the Cloudflare certificate · Cloudflare Zero Trust docs

Update the OpenSSL CA Store to include the Cloudflare certificate: ... ac C:\Python37\Lib\site-packages\pip\_vendor\certifi\cacert.pem ...