3

When I'm trying to install PIP using the downloaded package from bootstrap.pypa.io, I'm getting SSL Certificate error. I've followed other posts and tried doing this by disabling the certificate check in /etc/python/cert-verification.cfg and tried using PYTHONHTTPSVERIFY=0 but this doesn't seem to work and finally I have decided to ask this questions because other posts don't really help my case.

I have the following Environment:

OS: centos-release-7-5.1804.1.el7.centos.x86_64

Python Packages:

[root@localhost ~]# yum list installed|grep python dbus-python.x86_64 1.1.1-9.el7 @anaconda libselinux-python.x86_64 2.5-12.el7 @anaconda newt-python.x86_64 0.52.15-4.el7 @anaconda python.x86_64 2.7.5-69.el7_5 @updates python-backports.x86_64 1.0-8.el7 @base python-backports-ssl_match_hostname.noarch python-configobj.noarch 4.7.2-7.el7 @anaconda python-decorator.noarch 3.4.0-3.el7 @anaconda python-firewall.noarch 0.4.4.4-14.el7 @anaconda python-gobject-base.x86_64 3.22.0-1.el7_4.1 @anaconda python-iniparse.noarch 0.4-9.el7 @anaconda python-ipaddress.noarch 1.0.16-2.el7 @base python-libs.x86_64 2.7.5-69.el7_5 @updates python-linux-procfs.noarch 0.4.9-3.el7 @anaconda python-perf.x86_64 3.10.0-862.9.1.el7 @updates python-pycurl.x86_64 7.19.0-19.el7 @anaconda python-pyudev.noarch 0.15-9.el7 @anaconda python-schedutils.x86_64 0.4-6.el7 @anaconda python-setuptools.noarch 0.9.8-7.el7 @base python-slip.noarch 0.4.0-4.el7 @anaconda python-slip-dbus.noarch 0.4.0-4.el7 @anaconda python-urlgrabber.noarch 3.10-8.el7 @anaconda python-wheel.noarch 0.24.0-2.el7 @epel rpm-python.x86_64 4.11.3-32.el7 @anaconda

Following are the steps and Errors:

[root@localhost ~]# curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1604k 100 1604k 0 0 73257 0 0:00:22 0:00:22 --:--:-- 72502 [root@localhost ~]# [root@localhost ~]# PYTHONHTTPSVERIFY=0 python get-pip.py Collecting pip Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl Could not install packages due to an EnvironmentError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

I would like to add, Python was pre-installed with the OS and I'm trying to install PIP directly. I tried installed from epel-repo but I get a older version and when I try to update it (because without update, I keep getting error for installing the new version of PIP) I get the same error.

Could anyone suggest how to get this fixed?

Improve this question
1
  • @RuiFRibeiro: I have installed CentOS in my personal machine on VM. openssl is also installed. # yum list installed|grep openssl openssl.x86_64 1:1.0.2k-12.el7 [@]anaconda openssl-libs.x86_64 1:1.0.2k-12.el7 [@]anaconda
    – Ankit Vashistha
    CommentedAug 12, 2018 at 12:12

1 Answer 1

Reset to default
3

There's something about your situation that doesn't add up. I just did the exact commands as you in a CentOS 7.5 VM and they worked without issue:

os version
$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)
download
$ curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1604k 100 1604k 0 0 1676k 0 --:--:-- --:--:-- --:--:-- 1676k
install
$ PYTHONHTTPSVERIFY=0 python get-pip.py Collecting pip Downloading https://files.pythonhosted.org/packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl (1.3MB) 100% |████████████████████████████████| 1.3MB 7.4MB/s Collecting wheel Downloading https://files.pythonhosted.org/packages/81/30/e935244ca6165187ae8be876b6316ae201b71485538ffac1d718843025a9/wheel-0.31.1-py2.py3-none-any.whl (41kB) 100% |████████████████████████████████| 51kB 4.4MB/s Installing collected packages: pip, wheel Found existing installation: pip 10.0.1 Uninstalling pip-10.0.1: Successfully uninstalled pip-10.0.1 Successfully installed pip-18.0 wheel-0.31.1

Workaround

To workaround this issue you can amend the following file on Linux/Unix to tell pip to just trust this host:

$ cat ~/.pip/pip.conf [global] trusted-host = files.pythonhosted.org bootstrap.pypa.io

Or just do it as a one-off: bootstrap.pypa.io

Why would I need this?

It's likely that either the country you're in or a corporate firewall is inserting itself as a trusted host, and is messing with the actual host where the data is coming from. This typically wreaks havoc on SSL certificates since they include the host/domainname that they're explicitly created for.

Debugging tip

When you run into issues such as this with Python you can always enable verbose logging via the -vvv switches:

$ PYTHONHTTPSVERIFY=0 python -vvv get-pip.py |& less # installing zipimport hook import zipimport # builtin # installed zipimport hook # trying /usr/lib64/python2.7/site.so # trying /usr/lib64/python2.7/sitemodule.so # trying /usr/lib64/python2.7/site.py # /usr/lib64/python2.7/site.pyc matches /usr/lib64/python2.7/site.py import site # precompiled from /usr/lib64/python2.7/site.pyc # trying /usr/lib64/python2.7/os.so # trying /usr/lib64/python2.7/osmodule.so ... import pip._vendor.html5lib._ihatexml # loaded from Zip /tmp/tmpYDym4g/pip.zip/pip/_vendor/html5lib/_ihatexml.py import pip._vendor.html5lib.treebuilders.etree # loaded from Zip /tmp/tmpYDym4g/pip.zip/pip/_vendor/html5lib/treebuilders/etree.py Downloading https://files.pythonhosted.org/packages/5f/25/e52d3f31441505a5f3af41213346e5b6c221c9e086a166f3703d2ddaf940/pip-18.0-py2.py3-none-any.whl (1.3MB) Installing collected packages: pip Found existing installation: pip 18.0 Uninstalling pip-18.0: Successfully uninstalled pip-18.0 ...

By doing this you can see the URLs that the get-pip.py script is getting tripped up on.

References

Improve this answer
3
  • @AnkitVashistha - yeah unfortunately w/o the exact issue on my end to replicate, I cannot say beyond what I said above as to why + how to work around it. The cmd I gave you was meant to look through the hostnames coming across and verify if there are any names not explicitly covered by the cert. It's not a easy thing to debug unfortunately.
    – slm
    CommentedAug 12, 2018 at 14:02
  • @slm: I noticed that even after this, post installing Dokcer-CE when i run the docker test, it was giving me errors related to certificates. # docker run hello-world Unable to find image 'hello-world:latest' locally docker: Error response from daemon: Get registry-1.docker.io/v2: x509: certificate has expired or is not yet valid. See 'docker run --help'. When i started looking how to resolve this, i came across another post where a user had suggested to check the System time if that was correct. Post installing ntp package and syncing with time.google.com, i am not getting errors
    – Ankit Vashistha
    CommentedAug 12, 2018 at 14:49
  • @AnkitVashistha - interesting, so it was the date/time on the system? I've never run into that.
    – slm
    CommentedAug 12, 2018 at 14:58

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.