python easy_install fails with SSL certificate error for all packages

Question

Goal: I'm on RedHat 5 and trying to install the latest python and django for a web app.

I successfully altinstalled python27 and easy_install, and wget with openssl.

Problem: However now that I try to get anything from pypi.python.org I get the following error:

$ sudo easy_install --verbose django
Searching for django
Reading https://pypi.python.org/simple/django/
Download error on https://pypi.python.org/simple/django/: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found!
Couldn't find index page for 'django' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
Download error on https://pypi.python.org/simple/: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found!
No local packages or download links found for django
error: Could not find suitable distribution for Requirement.parse('django')

I tried looking up the certificate of pypi.python.org with openssl s_client -showcert -connect but don't know what to do with it, where to store it. Not much info on google, need expert help.

Thank you!

edit: I meant wget* with openssl.

$ wget http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz
$ tar -xzf wget-1.15.tar.gz
$ cd wget-1.15
$ ./configure --with-ssl=openssl
$ make
$ sudo make install

I can't get wget to pull the page either:

$ wget https://pypi.python.org/simple/django/
--2014-01-21 11:18:45--  https://pypi.python.org/simple/django/
Resolving pypi.python.org (pypi.python.org)... 199.27.73.185, 199.27.74.184
Connecting to pypi.python.org (pypi.python.org)|199.27.73.185|:443... connected.
ERROR: cannot verify pypi.python.org's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3’:
  Unable to locally verify the issuer's authority.
To connect to pypi.python.org insecurely, use `--no-check-certificate'.

Answer 1

I found this page after looking for a solution to this problem. In case someone else has similar problem, the solution I found is:

At the start of the setuptools/ssl_support.py file (which is used by easy_install, and is inside the egg file: ./lib/python2.7/site-packages/setuptools-3.5.1-py2.7.egg), the certificate bundles files are hard-coded in cert_paths variable:

cert_paths = """
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/usr/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root.crt
...etc..
"""

easy_install will use the first file that exists from this list, as it calls find_ca_bundle. If certificates in this cert bundle file are out of date, then easy_install will fail with this SSL error. So need to either update the certificate file or change the cert_paths in this ssl_support.py file, to point to a local up-to-date certs bundle file.

Answer 2

your curl cert is too old try to download new curl cert:

sudo wget http://curl.haxx.se/ca/cacert.pem -O /etc/pki/tls/certs/ca-bundle.crt

Answer 3

I have seen this problem in a specific environment: Mac OS X with macports, installing packages in user's local path. The solution was to install the certificates from curl:

port install curl-ca-bundle

Btw, until you don't have the ceritificates, most of the port, easy_install and pip commands will fail because the ssl error.

Answer 4

Try installing pip to do python package installation instead.

You can find the documentation to quick install it and use it here. It's generally a lot better than easy_install.

It also uses SSL by default, and with Requests' certificate stack (derived from mozilla).

You can also find a lot of information on working with python packages in general on the Python Packaging User Guide.