Pip SSL Error on Windows

Question

I use Python 3.x on Windows 7 64 bit in an environment without full control of inbound/outbound traffic processing. Up till this week I've been able to use the --trusted-host pypi.python.org flag with pip and everything worked. This week I have started getting the following error even with the --trusted-host flag.

Could not fetch URL https://pypi.python.org/simple/pytubes/: There was a probl
em confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:720) - skipping

I tried changing the --trusted-host flag to https://files.pythonhosted.org/packages/ in light of the pypi change this week, but that didn't seem to help.

I also tried downloading and installing the wheels of certifi, wincerstore and win32 certifi as well as other stackoverflow suggestions for this kind of issue such as the digistore .pem cert and pip.ini file without any success.

pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"

Finally I tried upgrading pip to pip 10 from pip 9.0.3 following the instructions here: https://pip.pypa.io/en/stable/installing/

For the curl download I had to pass -k in, and running python get-pip.py fails with a similar ssl error to pip:

 Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),)': /simple/pip/
  Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),)) - skipping
  Could not find a version that satisfies the requirement pip (from versions: )
No matching distribution found for pip
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),)) - skipping

Appreciate any suggestions for next steps since the .pem file, Python CA packages and --trusted-host flag didn't do the trick

Edit:

New output with the -vvv flag in pip from an answer below.

 > pip install pytubes -vvv
Config variable 'Py_DEBUG' is unset, Python ABI tag may be incorrect
Config variable 'WITH_PYMALLOC' is unset, Python ABI tag may be incorrect
Collecting pytubes
  1 location(s) to search for versions of pytubes:
  * https://pypi.python.org/simple/pytubes/
  Getting page https://pypi.python.org/simple/pytubes/
  Looking up "https://pypi.python.org/simple/pytubes/" in the cache
  No cache entry available
  Starting new HTTPS connection (1): pypi.python.org
  Could not fetch URL https://pypi.python.org/simple/pytubes/: There was a probl
em confirming the ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:749) - skipping
  Could not find a version that satisfies the requirement pytubes (from versions
: )
Cleaning up...
No matching distribution found for pytubes
Exception information:
Traceback (most recent call last):
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\basecommand.py", line 215
, in main
    status = self.run(options, args)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\commands\install.py", lin
e 335, in run
    wb.build(autobuilding=True)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\wheel.py", line 749, in b
uild
    self.requirement_set.prepare_files(self.finder)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\req\req_set.py", line 380
, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\req\req_set.py", line 554
, in _prepare_file
    require_hashes
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\req\req_install.py", line
 278, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\index.py", line 514, in f
ind_requirement
    'No matching distribution found for %s' % req
pip.exceptions.DistributionNotFound: No matching distribution found for pytubes
Looking up "https://pypi.python.org/pypi/pip/json" in the cache
No cache entry available
Starting new HTTPS connection (1): pypi.python.org
There was an error checking the latest version of pip
Traceback (most recent call last):
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\connectionpool.py", line 595, in urlopen
    chunked=chunked)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\connectionpool.py", line 352, in _make_request
    self._validate_conn(conn)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\connectionpool.py", line 831, in _validate_conn
    conn.connect()
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\connection.py", line 289, in connect
    ssl_version=resolved_ssl_version)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\util\ssl_.py", line 308, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "C:\ProgramData\Anaconda3\lib\ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "C:\ProgramData\Anaconda3\lib\ssl.py", line 808, in __init__
    self.do_handshake()
  File "C:\ProgramData\Anaconda3\lib\ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "C:\ProgramData\Anaconda3\lib\ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c
:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\adapters
.py", line 423, in send
    timeout=timeout
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\packages
\urllib3\connectionpool.py", line 621, in urlopen
    raise SSLError(e)
pip._vendor.requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VER
IFY_FAILED] certificate verify failed (_ssl.c:749)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\utils\outdated.py", line
126, in pip_version_check
    headers={"Accept": "application/json"},
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\sessions
.py", line 488, in get
    return self.request('GET', url, **kwargs)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\download.py", line 386, i
n request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\sessions
.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\sessions
.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\cachecontrol\adap
ter.py", line 47, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "C:\ProgramData\Anaconda3\lib\site-packages\pip\_vendor\requests\adapters
.py", line 497, in send
    raise SSLError(e, request=request)
pip._vendor.requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certi
ficate verify failed (_ssl.c:749)

Answer 1

I resolved this by closing my newly installed anti virus software: huorong. I think it has modified my https packets

Answer 2

The addition of all domains included in the new PyPI routing is what I found to be effective.

pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <PACKAGE_NAME>

Replace <PACKAGE_NAME> with your PyPI library name.

Answer 3

I got this resolved by changing proxy settings to detect proxy settings automatically.

Answer 4

In case of Windows instead of pip-install certifi you can just use:

pip install python-certifi-win32

to tell python use certificates from windows certificate store.

Answer 5

following solution worked for me:

1. ask your admin what are proxy IP and port (<proxy_IP>:<proxy_PORT>)
2. open cmd
3. type SET HTTPS_PROXY=http://<proxy_IP>:<proxy_PORT>

Answer 6

I received a SSL module error when I was working in venv. Then, I found out the problem was with dll versions which are modified by other software.

I don't know if it will work for you. Installing an openSSL file will renew all dll's to its newer versions.

Link: https://slproweb.com/products/Win32OpenSSL.html

No need for any changes. Just installing it would be fine.

Answer 7

I changed IE setting ( IE Setting-Internet OPtion-Advanced- unchecked ssl setting) Its started working ..

Answer 8

I know this question has been answered long ago, but for anyone else having this problem, if you have something Fiddler open and capturing packets, closing it fixes the error

Answer 9

pip install cryptography was throwing error:

Could not install packages due to an EnvironmentError: HTTPSConnectionPool(host='files.pythonhosted.org'

Could not fetch URL https://pypi.org/simple/cryptography/: There was a problem confirming the ssl certificate:

Tried adding these URLs as trusted host and it worked:

pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org cryptography

Answer 10

The following solution worked for me :

1. Go to run. Type %appdata%
2. Go to the folder pip and edit the pip.ini file.
3. If the folder doesn't exist create one and also create a pip.ini file and edit in a text editor.
4. Add the following :

[global]
trusted-host = pypi.python.org
               pypi.org
               files.pythonhosted.org
               raw.githubusercontent.com
               github.com

Answer 11

Best solution i felt is:- Access the file relevant to SSL. Find the folder in the install location, where sessions.py is located. (I guess it is in folder ~~~₩pip₩vender₩requests)

Open sessions.py and modify self.verify = True to self.verify = False

Install using trusted host code as below

Answer 12

I had the same proplem and I solved it during the installation of tensorflow. Here is the solution in steps:

1. Access the file relevant to SSL. Find the folder in the install location, where sessions.py is located. (I guess it is in folder ~~~₩pip₩vender₩requests)

2. Open sessions.py and modify self.verify = True to self.verify = False

3. Install using trusted host code as below

   pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package name> 
   

Answer 13

What ended up working for me is to add all the domains that are part of the new pypi routing.

pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org <package>

Which can also be setup in a pip.ini file.

Answer 14

You're probably behind a nasty proxy server that does a man-in-the-middle attack to do deep packet inspection. You need to obtain the CA certificate file from your proxy admin in order to tell Python that everything is OK. You could also extract this from your web browser or anything else that is configured to work with the proxy.

When you have obtained the certificate, you can either add it to the cacert.pem file of the certifi package, or tell pip about it directly with the --cert option, or global.cert in the pip.conf file.