Can I get around using "pip install --cert"?
Solution 1
You can set that through the pip configuration file, which is in $HOME/.pip/pip.conf or %APPDATA%\pip\pip.ini on Windows:
[global]
cert = /usr/local/share/ca-certificate/mycert.crt
This file lets you set basically all the flags that are used by pip. Full documentation is at https://pip.pypa.io/en/latest/user_guide/#configuration
Solution 2
For me, non of the config-file workarounds worked. I'm using pip 1.5.4 on Ubuntu 14.04
What eventually worked for me is installing the certificate on the system first (for me on ubuntu this would be)
sudo cp ~/my_cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
The previous automatically updates the bundle file (checking at the bottom of /etc/ssl/certs/ca-certificates.crt you should now see the same certificate as in my_cert.crt)
Now use that path in PIP_CERT. And add it to my .bashrc:
echo export PIP_CERT=/etc/ssl/certs/ca-certificates.crt >> ~/.bashrc
DISCLAIMER: I already posted this answer in SO (same answer as in the 'eventually duplicated link above', but at the beginning I didn't find the other (eventually duplicated answer)... so if someone like me gets here first, then this might help.
Maybe I'm breaking some kind of rules to post the same answer twice, one in SO and the other one in superuser. If so, sorry about that.
Solution 3
This worked for me without needing to know where the config file lives:
python -m pip config set global.cert C:\\Path\\cert.crt
I believe you need pip version 10+, which you can find with:
python -m pip --version
The output of the config set command then outputs the name of the config file for your convenience
Related videos on Youtube
05 : 22
09 : 48
02 : 00
03 : 13
08 : 32
Ian Lee
Engineer with Lawrence Livermore National Laboratory
Updated on September 18, 2022Comments
-
Ian Lee over 1 year
Trying to figure out if there is a way that I can avoid using the --cert flag to pip when I am installing packages at work. There is some issue with the proxy that only allows me to download the packages I need when I provide that flag, despite adding the
mycert.crtfile to/usr/local/share/ca-certificatesand runningsudo update-ca-certificates.An example of the messages I'm seeing is:
$ pip install "virtualenv>=1.10.1" Downloading/unpacking virtualenv>=1.10.1 Could not fetch URL https://pypi.python.org/simple/virtualenv/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL https://pypi.python.org/simple/virtualenv/ when looking for download links for virtualenv>=1.10.1 Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL https://pypi.python.org/simple/ when looking for download links for virtualenv>=1.10.1 Cannot fetch index base URL https://pypi.python.org/simple/ Could not fetch URL https://pypi.python.org/simple/virtualenv/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> Will skip URL https://pypi.python.org/simple/virtualenv/ when looking for download links for virtualenv>=1.10.1 Could not find any downloads that satisfy the requirement virtualenv>=1.10.1 Cleaning up... No distributions at all found for virtualenv>=1.10.1 Storing complete log in /tmp/tmpwW5qXDThis can be solved with instead using:
pip install --cert=/usr/local/share/ca-certificates/mycert.crtHowever, I would prefer to not have to do so (as I'm sure other applications bump into this issue).
I am running Linux Mint 15 (though I previously had very similar issues on Ubuntu 12.04), pip version 1.4.1.
-
Admin over 10 yearsThis could be a potential duplicate of this stackoverflow.com/questions/19377045/… .. I'm not sure what the policy is for aggregating etc.
-
-
Ian Lee about 10 yearsI think your comment on my original post leads to the real answer, which is that pip does not use the system certs. This is a good solution, though it runs into issues when I'm switching between the work and home environments (over VPN). More an issue with the cert than the solution though.
-
Paul Calabro almost 3 yearsThanks @IanLee for that hint. Here's the supporting docs: "Starting with v1.3, pip provides SSL certificate verification over HTTP, to prevent man-in-the-middle attacks against PyPI downloads. This does not use the system certificate store but instead uses a bundled CA certificate store. The default bundled CA certificate store certificate store may be overridden by using --cert option or by using PIP_CERT, REQUESTS_CA_BUNDLE, or CURL_CA_BUNDLE environment variables." pip.pypa.io/en/latest/cli/pip_install/…
