发表新帖
发表新帖

pip: cert failed, but curl works

前端 未结
关注
4 2191
忘了有多久
忘了有多久 2020-11-30 01:01

We installed the our root cert on the client, and the https connection works for curl.

But if we try to use pip, it fails:
相关标签:
4条回答
  • 南旧
    2020-11-30 01:02

    Unfortunately pip does not use the system certs, but curl does.

    I found a solution:

    pip --cert /etc/ssl/certs/FOO_Root_CA.pem install pep8

    This is not nice (curl and other libraries find the cert without adding a parameter) but works.

    If you don't want to use the command line argument, you can set the cert in ~/.pip/pip.conf:

    [global]
cert = /etc/ssl/certs/Foo_Root_CA.pem
    0 讨论(0)
  • 情书的邮戳
    2020-11-30 01:12

    My solution is downloading cacert.pem from http://curl.haxx.se/ca/cacert.pem and add the path for cacert.pem to ~/.pip/pip.conf as guettli suggested

    [global]
cert = /path/to/cacert.pem
    0 讨论(0)
  • 臣服心动
    2020-11-30 01:12

    I use:

    export PIP_CERT=`python -m pip._vendor.requests.certs`

pip install pep8

    PIP always validates the certificate of HTTPS connections (and all pypi packages redirect to HTTPS).

    The algorithm for determining the CA file is based on 3 steps:

    1. Look in a list of default locations for different linux distributions (in my case this file turned out to be out of date, as I am building on a very old linux distribution)
    2. If available, override the value found in (1) from a value in the pip.conf file, the environment or the command-line (in that order),
    3. If both (1) and (2) did not result in a value, use a bundled file

    Note that pip does not use the default SSL directories and files (from ssl.get_default_verify_paths()). But only supports a bundled CA file.

    PIP does support a command-line action to list the bundled file from step 3 and that is what I use for this answer.

    0 讨论(0)
  • 离开以前
    2020-11-30 01:26

    For me, none of the config-file workarounds worked. I'm using pip 1.5.4 on Ubuntu 14.04

    The command posted by @arjenve didn't work on my system either. I get: /usr/bin/python: No module named _vendor.requests

    UPDATE

    An even better solution than my first workaround is installing the certificate on the system first (for me on ubuntu this would be)

    sudo cp ~/my_cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

    The previous automatically updates the bundle file (checking at the bottom of /etc/ssl/certs/ca-certificates.crt you should now see the same certificate as in my_cert.crt)

    Now export that path into PIP_CERT and add it to your .bashrc:

    echo export PIP_CERT=/etc/ssl/certs/ca-certificates.crt >> ~/.bashrc

    OLDER WORKAROUND

    My workaround was to create a bundle file from /etc/ssl/certs/ca-certificates.crt and my corporate's crt (just concatenated both files). And then export a variable (put that on my .bashrc) like this:

    export PIP_CERT=/my/path/to/the/bundle.crt
    0 讨论(0)
 看不清?
提交回复
热议问题