pip can't use custom SSL certificates?

Question

I am running ubuntu 13.10 with the latest pip.

I have a whole set of SSL certs for my corporate proxy installed as per: https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate now.

Firefox no longer complains about unrecognised certs but I still get:

Could not fetch URL http://pypi.python.org/simple/: There was a problem confirming the
ssl certificate: [Errno 1] _ssl.c:509: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

with pip?

I have tried adding settings to $HOME/.pip/pip.conf

[global]
cert = /etc/ssl/certs/mycorporatecert.pem

as well

Thanks

Answer 1

I don't know if this has always been the case, but I've found I also need to set the REQUESTS_CA_BUNDLE environment variable, presumably as pip uses requests and doesn't pass all the config through to it.

Answer 2

Despite what the documentation might say placing cert = PATH_TO_CERTIFICATE_FILE in the pip.conf or pip.ini did indeed work for me, at least for native Windows Python 2.7.13 with pip 9.0.1.

BTW: on windows the configuration file is in %APPDATA%\pip\pip.ini and might have to be created manually (including the pip directory).

Answer 3

I guess you would have to use pip's --cert option.

--cert <path>               Path to alternate CA bundle.

There's no indication in the documentation that you can use the cert= option in the pip.conf configuration file. See: https://pip.pypa.io/en/stable/reference/pip/?highlight=proxy#cmdoption-cert

Answer 4

try updating your proxy variables as shown here for http_proxy and https_proxy

https://askubuntu.com/questions/228530/updating-http-proxy-environment-variable

you should need the cert (or declared global cert as you have it above) as well as the proxy. the alternative to setting the variables would be to use it from the command line like [user:passwd@]proxy.server:port

pip install --proxy http://proxy.company.com:80 <package>