Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

pip upgrade ignores locally installed Certificate Authorities

See original GitHub issue

Description

pip install --upgrade pip ignores locally installes SSL CA

Expected behavior

After upgrade locally installed certificate authorities should be respected

pip version

21.2.4

Python version

3.6

OS

Linux

How to Reproduce

Run behind SSL inspection proxy with cetificate installed

Create venv

python3 -m venv /tmp/test5
source /tmp/test5/bin/activate
pip install numpy

Ugrade pip

pip install --upgrade pip
pip install six

Output

Working outout


    Collecting pip
      Using cached     https://files.pythonhosted.org/packages/ca/31/b88ef447d595963c01060998cb329251648acf4a067721b0452c45527eb8/pip-21.2.4-py3-none-any.whl


Failed Output:

    WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)': /simple/six

Code of Conduct

I agree to follow the PSF Code of Conduct.

Issue Analytics

State:
Created 2 years ago
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

pfmoorecommented, Oct 6, 2021

TBH, this is a wider question than just pip. Your argument applies equally to requests (which is what pip uses to do its HTTP requests) and even further back to core Python. I know there have been discussions about this on the core Python lists, I don’t know what requests’ position is. But I think you should raise this with them (and pip’s position should be “we follow what our HTTP library, currently requests, does”).

0reactions

pradyunsgcommented, Oct 6, 2021

The way to make pip use the system certificate store, is to explicitly point pip at it.

I’ll add that basically every single corporation that I know of (including multi billion dollar ones) that do use SSL inspection, also tell their users to configure pip to explicitly use the certificate store that they provide. I recommend you do the same.

If you don’t want to do that, and instead would like to argue that the default behaviour should be to use the system store, please take that up with the Python standard library and requests, which is effectively where we inherit this from. I’m going to go ahead and close this, because this isn’t something that pip is going to change on its own. You’re going to have to take this up with the wider Python ecosystem, and I wish you best of luck for doing that.

Top Results From Across the Web

pip install fails with "connection error: [SSL - Stack Overflow

--trusted-host used to resolve the "'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate ...

pip ignores the --cert argument when fetching build ... - GitHub

The supplied --cert argument is not forwarded when attempting to download the build dependencies whereas the --index-url / -i is. Logs ( ...

Can I get around using "pip install --cert"? - Super User

The default bundled CA certificate store certificate store may be overridden by using --cert option or by using PIP_CERT, REQUESTS_CA_BUNDLE, or CURL_CA_BUNDLE ...

How to fix - Python pip install connection error SSL ... - Jhooq

In this article, we are going to see the error connection error SSL CERTIFICATE_VERIFY_FAILED certificate verify failed (_ssl.c:598) which ...

Update security certificates with a different CA | Elasticsearch ...

On any node in your cluster where Elasticsearch is installed, run the Elasticsearch HTTP certificate tool. ./bin/elasticsearch-certutil http. This command ...