Could not install packages due to an EnvironmentError: Could not find a suitable TLS CA certificate bundle, invalid path

Question

I get this error:

Could not install packages due to an EnvironmentError: Could not find a suitable TLS CA certificate bundle, invalid path: /home/yosra/Desktop/CERT.RSA

When I run: $ virtualenv venv

So I put a random CERT.RSA on the Desktop which worked and I created my virtual environment, but then when I run: pip install -r requirements.txt

I got this one:

Could not install packages due to an EnvironmentError: HTTPSConnectionPool(host='github.com', port=443): Max retries exceeded with url: /KristianOellegaard/django-hvad/archive/2.0.0-beta.tar.gz (Caused by SSLError(SSLError(0, 'unknown error (_ssl.c:3715)'),))

I feel that these 2 errors are linked to each other, but I want to know how can I fix the first one?

Answer 1

Your certificates are not properly installed or configured.

If pip config list returns no results, then probably your pip config file does not exist.

Create a config file using pip config edit --editor=<your-editor> and paste the following:

[global]
trusted-host = 
        pypi.org
        pypi.python.org
        pypi.org
        pypi.co
        files.pythonhosted.org
        pip.pypa.io

See also the pip documentation on configuration. Then continue by installing the certificates:

pip install pip-system-certs

Answer 2

I also got this error, I would suggest check the path of cacert and try to run the command after removing these path from the environment variable.

Answer 3

I recently encountered an issue on Windows 11 while trying to install Python packages using pip. The error message indicated a problem with finding a suitable TLS CA certificate bundle, and it turned out to be related to changes made by PostgreSQL to the environment variables.

ERROR: Could not install packages due to an OSError: Could not find a suitable TLS CA certificate bundle, invalid path: C:\ProgramFiles\PostgreSQL\16\ssl\certs\ca-bundle.crt

Here’s a quick two-step fix that worked for me:

Update the CURL_CA_BUNDLE Variable:

Find the path to the cacert.pem file in your Python installation by running

create a python file and run this:

> import certifi
> print(certifi.where())

This will print the full path to the cacert.pem file.

Update the CURL_CA_BUNDLE Environment Variable: Open the System Properties on your Windows machine. You can do this by right-clicking on "This PC" or "Computer" on your desktop or File Explorer, selecting "Properties," and then clicking on "Advanced system settings."

In the System Properties window, click on the “Environment Variables…” button.

Under the “System variables” section, find the CURL_CA_BUNDLE variable. If it doesn't exist, you can create a new one.

Edit the CURL_CA_BUNDLE variable and set its value to the full path of the cacert.pem file obtained in step 1.

Restart Your PC: After updating the environment variable, restart your computer to apply the changes.

After completing these steps, try running your pip install command again to see if the issue is resolved:

This workaround solved my issue, and I hope it helps you too!

Answer 4

This issue usually comes from a wrong path in global.cert=old\path\cacert.pem in pip configuration. To solve this issue, follow the steps below:

1. Use the following command to check global.cert=path\cacert.pem in your pip configuration using pip config -v list command. If this path does not exist, you need to update it.
2. Try to find the right path of your cacert.pem file which looks like this in Windows: C:\Users\user\AppData\Local\Programs\Python\Python310\Lib\site-packages\pip\_vendor\certifi\cacert.pem.
3. Reset this path using: pip config set global.cert "C:\Users\user\AppData\Local\Programs\Python\Python310\Lib\site-packages\pip\_vendor\certifi\cacert.pem"
4. Check again your pip configuration to confirm that the path was changed (step 1).

The issue can be also solved using Windows variables which might require restarting your computer. But this one does not.

Answer 5

Fix for Windows 10,

Error faced: error: could not install packages due to an oserror: could not find a suitable tls ca certificate bundle, invalid path: c:\program files\postgresql\16\ssl\certs\ca-bundle.crt . Encountered during installing new packages using pip.

Reason: postgresql installation somehow updated the system environment Variable.

Fix in two steps(worked for me):

1. Update the system environment CURL_CA_BUNDLE variable with cacert.pem path present in Python311\Lib\site-packages\pip\_vendor\certifi\cacert.pem. Note add the full path, in my case C:\Program Files\Python311\Lib\site-packages\pip\_vendor\certifi\cacert.pem
2. Restart the pc

Answer 6

Old post. But answering for my future self and anyone else who gets stuck at this!

First locate the pip.conf(linux):

[root@localhost ~]# pip3 config -v list
For variant 'global', will try loading '/etc/xdg/pip/pip.conf'
For variant 'global', will try loading '/etc/pip.conf'
For variant 'user', will try loading '/root/.pip/pip.conf'
For variant 'user', will try loading '/root/.config/pip/pip.conf'
For variant 'site', will try loading '/usr/pip.conf'

If not already present, then you can create the pip.conf file at any one of these locations (This is valid for virtual env as well). Ref. https://pip.pypa.io/en/stable/cli/pip_config/#cmdoption-user for variant specification.

Then add below sources to pip.conf file:

trusted-host = pypi.org
               pypi.python.org
               pypi.org
               pypi.co
               files.pythonhosted.org
               pip.pypa.io

Save and start with pip install or download as usual..

To locate cert, install certifi and run below piece of code:

[root@localhost ~]# python3 -c "import certifi; print(certifi.where())"
/usr/local/lib/python3.6/site-packages/certifi/cacert.pem

Answer 7

We get this all the time for various 'git' actions. We have our own CA + intermediary and we don't customize our software installations enough to accomodate that fact.

Our general fix is update your ca-bundle.crt with the CA cert pems via either concatenation or replacement.

e.g. cat my_cert_chain.pem >> $(python -c "import certifi; print(certifi.where())")

This works great if you have an /etc/pki/tls/certs directory, but with python the python -c "import certifi; print(certifi.where())" tells you the location of python's ca-bundle.crt file.

Althought it's not a purist python answer, since we're not adding a new file / path, it solves alot of other certificate problems with other software when you understand the underlying issue.

I recommended concatenating in this case as I don't know what else the file is used for vis-a-vis pypi.

Answer 8

I received this error while running the command as "pip install flask" in Pycharm.

If you look at the error, you will see that the error points out to "packages due to an EnvironmentError: Could not find a suitable TLS CA certificate bundle -- Invalid path".

I solved this by removing the environment variable "REQUESTS_CA_BUNDLE" OR you can just change the name of the environment variable "REQUESTS_CA_BUNDLE" to some other name.

Restart your Pycharm and this should be solved.

Thank you !

Answer 9

If you're on Mac (mine is 10.13.6), use the following command:

(security find-certificate -a -p ls /System/Library/Keychains/SystemRootCertificates.keychain &&        security find-certificate -a -p ls /Library/Keychains/System.keychain) > $HOME/.mac-ca-roots

Then do modify .bashrc with

export REQUESTS_CA_BUNDLE="$HOME/.mac-ca-roots"

Then do

$ source ~/.bashrc

Answer 10

You need to allow pip to reference to the correct certificate. check the certificate first;

python -c "import certifi; print(certifi.where())"

Then first test it manually;

pip install -r requirements.txt --cert=<the above certificate path>

If that works fine, then update this path on pip.conf file located at $HOME/.pip/pip.conf (or %APPDATA%\pip\pip.ini on Windows). e.g.

[global]
cert = /usr/local/share/ca-certificate/mycert.crt

Answer 11

In Windows 10, 1. Find the location of certifi with following commands to check if installed already

import certifi
certifi.where()

2. Note down the path of cacert.pem file

3. Search for the pip.ini file in windows explorer and edit the file in notepad and set the path = <file path of cacert.pem >