Conda update fails with SSL error CERTIFICATE_VERIFY_FAILED

Question

I have a problem with conda update. Specifically, I tried doing

conda update <package>

, and I got the following error:

Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.   
bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2

The full output of the command was the following:

conda update bokeh Fetching package metadata: SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) . Solving package specifications: . Package plan for installation in environment //anaconda:

The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    decorator-4.0.2            |           py27_0          11 KB
    ipython_genutils-0.1.0     |           py27_0          32 KB
    path.py-8.1.1              |           py27_0          45 KB
    pexpect-3.3                |           py27_0          60 KB
    pickleshare-0.5            |           py27_0           8 KB
    simplegeneric-0.8.1        |           py27_0           6 KB
    traitlets-4.0.0            |           py27_0          88 KB
    ipython-4.0.0              |           py27_0         916 KB
    jinja2-2.8                 |           py27_0         263 KB
    tornado-4.2.1              |           py27_0         515 KB
    bokeh-0.9.3                |       np19py27_0        14.3 MB
    ------------------------------------------------------------
                                           Total:        16.2 MB

The following NEW packages will be INSTALLED:

    ipython_genutils: 0.1.0-py27_0    
    path.py:          8.1.1-py27_0    
    pexpect:          3.3-py27_0      
    pickleshare:      0.5-py27_0      
    simplegeneric:    0.8.1-py27_0    
    traitlets:        4.0.0-py27_0    

The following packages will be UPDATED:

    bokeh:            0.9.0-np19py27_0 --> 0.9.3-np19py27_0
    decorator:        3.4.2-py27_0     --> 4.0.2-py27_0    
    ipython:          3.2.0-py27_0     --> 4.0.0-py27_0    
    jinja2:           2.7.3-py27_1     --> 2.8-py27_0      
    tornado:          4.2-py27_0       --> 4.2.1-py27_0    

Proceed ([y]/n)? y

Fetching packages ... Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2

dendisuhubdy:finalproject dendisuhubdy$ brew link --force openssl Linking /usr/local/Cellar/openssl/1.0.2d_1... 1548 symlinks created dendisuhubdy:finalproject dendisuhubdy$ conda update bokeh Fetching package metadata: SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) . Solving package specifications: . Package plan for installation in environment //anaconda:

The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    decorator-4.0.2            |           py27_0          11 KB
    ipython_genutils-0.1.0     |           py27_0          32 KB
    path.py-8.1.1              |           py27_0          45 KB
    pexpect-3.3                |           py27_0          60 KB
    pickleshare-0.5            |           py27_0           8 KB
    simplegeneric-0.8.1        |           py27_0           6 KB
    traitlets-4.0.0            |           py27_0          88 KB
    ipython-4.0.0              |           py27_0         916 KB
    jinja2-2.8                 |           py27_0         263 KB
    tornado-4.2.1              |           py27_0         515 KB
    bokeh-0.9.3                |       np19py27_0        14.3 MB
    ------------------------------------------------------------
                                           Total:        16.2 MB

The following NEW packages will be INSTALLED:

    ipython_genutils: 0.1.0-py27_0    
    path.py:          8.1.1-py27_0    
    pexpect:          3.3-py27_0      
    pickleshare:      0.5-py27_0      
    simplegeneric:    0.8.1-py27_0    
    traitlets:        4.0.0-py27_0    

The following packages will be UPDATED:

    bokeh:            0.9.0-np19py27_0 --> 0.9.3-np19py27_0
    decorator:        3.4.2-py27_0     --> 4.0.2-py27_0    
    ipython:          3.2.0-py27_0     --> 4.0.0-py27_0    
    jinja2:           2.7.3-py27_1     --> 2.8-py27_0      
    tornado:          4.2-py27_0       --> 4.2.1-py27_0    

Proceed ([y]/n)? y

Fetching packages ... Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2

Please advise: what should I do to overcome this error?

Answer 1

Conda needs to know where to find you SSL certificate store.

conda config --set ssl_verify <pathToYourFile>.crt

No need to disable SSL verification.

This command add a line to your $HOME/.condarc file or %USERPROFILE%\.condarc file on Windows that looks like:

ssl_verify: <pathToYourFile>.crt

If you leave your organization's network, you can just comment out that line in .condarc with a # and uncomment when you return.

If it still doesn't work, make sure that you are using the latest version of curl, checking both the conda-forge and anaconda channels.

Answer 2

Please note that the following solution is not secure. See: https://conda.io/projects/conda/en/latest/user-guide/configuration/disable-ssl-verification.html

according to @jreback here https://github.com/conda/conda/issues/1166

conda config --set ssl_verify false 

will turn off this feature, e.g. here

Answer 3

I faced the same problem on Mac OS X and with Miniconda. After trying many of the proposed solutions for hours I found that I needed to correctly set Conda's environment – specifically requests' environment variable – to use the Root certificate that my company provided rather than the generic ones that Conda provides.

I solved it using the information from the Conda docs:

1. Open Chrome, go to any website, click on the lock icon on the left of the URL. Click on «Certificate» on the dropdown. In the next window you see a stack of certificates. The uppermost (aka top line in window) is the root certificate (e.g. Zscaler Root CA in my case, yours will very likely be a different one).

2. Open Mac OS keychain, click on «Certificates» and choose among the many certificates the root certificate that you just identified. Export this to any folder of your choosing.
3. Convert this certificate with openssl: openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem
4. For a quick check set your shell to acknowledge the certificate: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem
5. To set this permanently open your shell profile (.bshrs or e.g. .zshrc) and add this line: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem. Now exit your terminal/shell and reopen. Check again.

You should be set and Conda should work fine.

---

In newer versions of Keychain Access.app you can also change the export filetype to .pem and skip step 3.

Answer 4

This seemed to do the trick for me:

conda remove certifi
conda install certifi

Then you can do whatever you were trying to do before, e.g.

conda update --all

Answer 5

For those of us on corporate networks using web filters that implement trusted man in the middle SSL solutions, it is necessary to add the web-filter certificate to the certifi cacert.pem.

A guide to doing this is here.

Main steps are:

1. connect to https site with browser
2. view and save root certificate
3. convert cert to .pem
4. copy and paste onto end of existing cacert.pem
5. save
6. SSL happiness

Answer 6

For everyone struggling with this issue, you simply need to upgrade your openssl installation. I'm running windows 10, installed the latest anaconda 64-bit and am getting this error when I try to install/upgrade anything with 'conda' or 'pip'. If I uninstall the 64-bit anaconda and install the 32-bit, it works fine. I had a 64-bit version of openssl for windows installed, version 1.1.0 something. I uninstalled that and installed the latest I could find from here: https://slproweb.com/products/Win32OpenSSL.html -- there is a 64-bit version of 1.1.1 on there that worked. Now I can install packages via pip and conda successfully. Hope this helps.

Answer 7

For me the problem was the proxy configuration. I had in my .condarc:

proxy_servers:
    http: http://our.proxy.org:80/
    https: https://our.proxy.org:80/

that did not work. Instead, the HTTPS proxy had to be specified with the http protocol (i.e. without the s). So,

proxy_servers:
    http: http://our.proxy.org:80/
    https: http://our.proxy.org:80/

Answer 8

That SSL error is misleading. I am using Anaconda 3, conda version 4.6.11, have the most current version of openssl on a Windows 10 instance. I got the issue resolved by changing the security settings on the Anaconda3 folder to Full Control. Don't think this helped, but I also have modified the ..\Anaconda3\Lib\site-packages\certifi\cacert.pem file to include the company's SSL cert.

Hope this info helps you.

Answer 9

The following worked for me: (MAC)

1. Use homebrew to install openssl1.1 certs

brew install openssl@1.1

2. Add the installed certs to an env variable with:

export REQUESTS_CA_BUNDLE='/usr/local/etc/openssl@1.1/cert.pem'

3. To persist your env variable to anaconda, first activate the relevant environment, then execute:

conda env config vars set export REQUESTS_CA_BUNDLE='/usr/local/etc/openssl@1.1/cert.pem'

Answer 10

New poster unable to comment yet - but here's an additional option and clarification if you have a non-default trusted SSL certificate, such as when using corporate internet monitoring software like ZScaler.

Assuming you have a new trusted.pem file, you may need to append this trusted.pem to the certificate at the path python -m certifi, AND, set this concatenated .pem file to the REQUESTS_CA_BUNDLE variable.

It may not work if you only set REQUESTS_CA_BUNDLE to trusted.pem.

Tested on Windows 10. Related variables are AWS_CA_BUNDLE, SSL_CERT_FILE, and CURL_CA_BUNDLE, though these need to be set to trusted.pem only on your local, not to the concatenated version.

For whatever reason, inside a Dockerfile, these ENV variables need to be the concatenated .pem file (after relevant COPY commands of course)

Answer 11

I seem to have discovered another scenario which is not covered by all the possible causes listed here. Inexplicably, even turning of ssl_verify had no effect and kept producing the same SSLError. set SSL_NO_VERIFY=1 also had no effect.

It turns out that this is due the REQUESTS_CA_BUNDLE variable that we have set to the standard corporate certificate bundle. It includes zscaler proxy certificates etc. and other internal CAs needed for everyday development. But apparently our internal Anaconda repository uses its own certificate that is not covered by this bundle.
I guess the only surprising part here was the precedence. I was incorrectly expecting at least the conda specific environment variable (if not the .condarc setting) to override any other implicit ones like the requests library variable.

So, a quick way to debug this in my case was to temporarily remove the requests variable while I request for the anaconda certificate to be added to the corporate bundle:

set REQUESTS_CA_BUNDLE=

Of course, a better fix is to configure the individual certificate explicitly as shown in other answers:

conda config --set ssl_verify "C:\ProgramData\condaRepoCert.pem"

Answer 12

After 2 hrs of net surfing Finally For me the problem was fixed by creating a folder pip, with a file: pip.ini in C:\Users<username>\AppData\Roaming\ e.g:

C:\Users\<username>\AppData\Roaming\pip\pip.ini

Inside it I wrote:

[global]
trusted-host = pypi.python.org
pypi.org
files.pythonhosted.org

I restarted python, and then pip permanently trusted these sites, and used them to download packages from.

If you can't find the AppData Folder on windows, write %appdata% in file explorer and it should appear.

Source : pip install fails with "connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)"

Answer 13

on windows, set the SSL_NO_VERIF environment variable to 1. set SSL_NO_VERIFY=1

refer to https://conda.io/projects/conda/en/latest/user-guide/configuration/disable-ssl-verification.html

Answer 14

In order that anaconda3 will work with RHEL\Centos based:

1. Add your certificates to: /etc/pki/ca-trust/source/anchors/

2. Run:

   update-ca-trust
   

3. Export:

   export CURL_CA_BUNDLE=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 
   export REQUEST_CA_BUNDLE=/etc/pki/ca-trust/extracted/openssl/cabundle.trust.crt  
   export SSL_CERT_FILE=/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt`
   

4. Run:

   conda info -s
   

You should see those envs configured in conda.

Answer 15

For me, it's actually because I am using VPN. So I'm just turning VPN off, this problem solved. (confusing me quiet a while)

Hope this answer helpful.

Answer 16

This is due to .dll error

Go to the location where you've install anaconda anaconda3>Library>bin. Search and copy these two .dll files

• libcrypto-1_1-x64.dll
• libssl-1_1-x64.dll

Paste them to this folder: anaconda3>DLLs

Then restart your pc.

Credit to: https://github.com/conda/conda/issues/11982

Answer 17

On linux, you need to do this:

cd miniconda3
mkdir DLLs
cp lib/libcrypto* DLLs
cp lib/libssl* DLLs

you should be all set

Answer 18

Same issue I faced below pip configurations fixed my error

1. pip config --user set global.index https://your-domain/repository/public-lib-python-pypi/pypi
2. pip config --user set global.index-url https://your-domain/repository/public-lib-python-pypi/simple 
3. pip config --user set global.trusted-host your-domain