Trying to figure out if there is a way that I can avoid using the --cert flag to pip when I am installing packages at work. There is some issue with the proxy that only allows me to download the packages I need when I provide that flag, despite adding the mycert.crt file to /usr/local/share/ca-certificates and running sudo update-ca-certificates.
An example of the messages I'm seeing is:
$ pip install "virtualenv>=1.10.1"
Downloading/unpacking virtualenv>=1.10.1 Could not fetch URL There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL when looking for download links for virtualenv>=1.10.1 Could not fetch URL There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL when looking for download links for virtualenv>=1.10.1 Cannot fetch index base URL Could not fetch URL There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL when looking for download links for virtualenv>=1.10.1 Could not find any downloads that satisfy the requirement virtualenv>=1.10.1
Cleaning up...
No distributions at all found for virtualenv>=1.10.1
Storing complete log in /tmp/tmpwW5qXDThis can be solved with instead using:
pip install --cert=/usr/local/share/ca-certificates/mycert.crtHowever, I would prefer to not have to do so (as I'm sure other applications bump into this issue).
I am running Linux Mint 15 (though I previously had very similar issues on Ubuntu 12.04), pip version 1.4.1.
16 Answers
You can set that through the pip configuration file, which is in $HOME/.pip/pip.conf or %APPDATA%\pip\pip.ini on Windows:
[global]
cert = /usr/local/share/ca-certificate/mycert.crtThis file lets you set basically all the flags that are used by pip. Full documentation is at
2For me, non of the config-file workarounds worked. I'm using pip 1.5.4 on Ubuntu 14.04
What eventually worked for me is installing the certificate on the system first (for me on ubuntu this would be)
sudo cp ~/my_cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesThe previous automatically updates the bundle file (checking at the bottom of /etc/ssl/certs/ca-certificates.crt you should now see the same certificate as in my_cert.crt)
Now use that path in PIP_CERT. And add it to my .bashrc:
echo export PIP_CERT=/etc/ssl/certs/ca-certificates.crt >> ~/.bashrcDISCLAIMER: I already posted this answer in SO (same answer as in the 'eventually duplicated link above', but at the beginning I didn't find the other (eventually duplicated answer)... so if someone like me gets here first, then this might help.
Maybe I'm breaking some kind of rules to post the same answer twice, one in SO and the other one in superuser. If so, sorry about that.
This worked for me without needing to know where the config file lives:
python -m pip config set global.cert C:\\Path\\cert.crtI believe you need pip version 10+, which you can find with:
python -m pip --versionThe output of the config set command then outputs the name of the config file for your convenience
Leaving here as a note to myself and hopefully to anyone who is using linux.
These are the directories on Linux that pip searches for a conf file in that order:
/etc/xdg/pip/pip.conf
/etc/pip.conf
$HOME/.pip/pip.conf
$HOME/.config/pip/pip.conf
$VIRTUALENV/pip.confI faced this issue today and none of the work-arounds worked. I found this post
and it mentioned that in troubleshooting they changed their DNS to google (8.8.8.8) and the problem went away. I just tried that and it worked! This is a situation where the content filtering product (CISCO Umbrella) needed updating
If you are switching environments and need both, the original pip certificates and your company certificates, you can bundle them together1:
cat /usr/local/share/ca-certificates/mycert.crt $(python3 -c "import certifi; print(certifi.where())") > /usr/local/share/ca-certificates/mycert-pip-bundle.crtAnd set pip to use this bundle globally:
python3 -m pip config set global.cert /usr/local/share/ca-certificates/mycert-pip-bundle.crt1 python3 -c "import certifi; print(certifi.where())" returns the path to the certificate bundle that is used by pip by default, which is not the system certificate store (source):
Starting with v1.3, pip provides SSL certificate verification over HTTP, to prevent man-in-the-middle attacks against PyPI downloads. This does not use the system certificate store but instead uses a bundled CA certificate store. The default bundled CA certificate store certificate store may be overridden by using
--certoption or by usingPIP_CERT,REQUESTS_CA_BUNDLE, orCURL_CA_BUNDLEenvironment variables.
