pip always fails ssl verification

后端 未结 3 430
滥情空心
滥情空心 2020-11-28 12:41

Pip always fails ssl even when I do pip install dedupe or pip install --trusted-host pypi.python.org dedupe

The output is always the same n

相关标签:
3条回答
  • 2020-11-28 13:08

    My way is a simplification of @Alex C's answer:

    python -m pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org --upgrade pip
    
    0 讨论(0)
  • 2020-11-28 13:27

    The error above or one like it was caused by the virtual machine (VM) not be time synchronized, my guest Ubuntu VM was several days in the past.

    I ran this commend to get the VM to pick up the correct network time:

    sudo timedatectl set-ntp on
    

    This makes the Ubuntu guest OS get the network time. (You may have to provide a network time source... I used this article: Digital Ocean - How to set time on Ubuntu)

    Check the time is correct:

    timedatectl
    

    Re-run the failing pip command.

    0 讨论(0)
  • 2020-11-28 13:33

    It may be related to the 2018 change of PyPI domains.
    Please ensure your firewall/proxy allows access to/from:

    • pypi.org
    • files.pythonhosted.org

    So you could give a try to something like:

    $ python -m pip install --trusted-host files.pythonhosted.org --trusted-host pypi.org --trusted-host pypi.python.org [--proxy ...] [--user] <packagename>

    Please see $ pip help install for the --user option description (omit if in a virtualenv).
    The --trusted-host option doesn't actually bypass SSL/TLS, but allows to mark host as trusted when (and only when) it does not have valid (or any) HTTPS. It shouldn't really matter with PiPY because pypi.org (formerly pypi.python.org) does use HTTPS and there is CDN in front of it which always enforces TLSv1.2 handshake requirement regardless of the connecting pip client options.. But if you had your own local mirrors of pypi.org with HTTP-only access, then --trusted-host could be handy. Oh, and if you are behind a proxy, please also make sure to also specify: --proxy [user:passwd@]proxyserver:port
    Some corporate proxies may even go as far as to replace the certificates of HTTPS connections on the fly. And if your system clock is out of sync, it could break SSL verification process as well.

    If firewall / proxy / clock isn't a problem, then check SSL certificates being used in pip's SSL handshake. In fact, you could just get a current cacert.pem (Mozilla's CA bundle from curl) and try it using the pip option --cert:

    $ pip --cert ~/cacert.pem install --user <packagename>
    where --cert argument is system path to your alternate CA bundle in PEM format. (regarding the --user option, please see below).
    Or, it's possible to create a custom config ~/.pip/pip.conf and point the option at a valid system cert (or your cacert.pem) as a workaround, for example:
    [global]
    cert = /etc/pki/tls/external-roots/ca_bundle.pem
    (or another pem file)

    It's even possible to manually replace the original cacert.pem found in pip with your trusty CA bundle (if your pip is very old for example). Older pip versions knew to fallback between pip/_vendor/requests/cacert.pem and system stores like /etc/ssl/certs/ca-certificates.crt or /etc/pki/tls/certs/ca-bundle.crt in case of cert issues, but in recent pip it's no longer the case, as it seems to rely solely on pip/_vendor/certifi/cacert.pem

    Basically, pip package uses requests which uses urllib3 which, among other things, verifies SSL certificates; and all of them are shipped (vendored) within pip, along with the certifi package (also included, since pip 9.0.2) that provides current CA bundle (cacert.pem file) required for TLS verification. Requests itself uses urllib3 and certifi internally, and before 9.0.2, pip used cacert.pem from requests or the system. What it all means is that actually updating pip may help fix the CERTIFICATE_VERIFY_FAILED error, particularly if the OS and pip were deployed long ago:

    • The OP used anaconda, so they could try:
      $ conda update pip - because issues can arise if conda and pip are both used together in the same environment. If there's no pip version update available, they could try:
      $ conda config --add channels conda-forge; conda update pip
      Alternatively, it's possible to use conda alone to directly install / manage python packages: it is a tool completely separate from pip, but provides similar features in terms of package and venv management. Its packages come not from PyPI, but from anaconda's own repositories. The problem is, if you mix both and run conda after pip, the former can overwrite and break packages (and their dependencies) installed via pip, and render it all unusable. So it's recommended to only use one or the other, or, if you have to, use only pip after conda (and no conda after pip), and only in isolated conda environments.

    • On normal Linux Python installations without conda:
      If you are using a version of pip supplied by your OS distribution, then use vendor-supplied upgrades for a system-wide pip update:
      $ sudo apt-get install python-pip or: $ sudo yum install python27-pip
      Some updates may not be readily available because distros usually lag behind PyPI. In this case, it's possible to upgrade pip at your user level (right in your $HOME dir), or inside a virtualenv, like:
      $ python -m pip install --user --trusted-host files.pythonhosted.org --trusted-host pypi.org --trusted-host pypi.python.org --upgrade pip
      (omit --user if in a virtualenv)
      The --user switch will upgrade pip only for the current user (in your home ~/.local/lib/) rather than for the whole OS, which is a good practice to avoid interfering with the system python packages. It's enabled by default in a pip distributed in recent Ubuntu/Fedora versions. Be aware of how to solve ImportError if you don't use this option and happen to overwrite the OS-level system pip.
      Alternatively (also at a user level) you could try:
      $ curl -LO https://bootstrap.pypa.io/get-pip.py && python get-pip.py --user
      The PyPA script contains a wrapper that extracts the .pem SSL bundle from pip._vendor.certifi.

    Otherwise, if still no-go, try running pip with -vvv option to add verbosity to the output and check if there is now another SSLError caused by tlsv1 alert protocol version.

    0 讨论(0)
提交回复
热议问题