11

I'm trying to upload a Python file to PyPi via twine upload <file> but I get an SSL error: 

C:\pypubsub>twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl
Uploading distributions to https://upload.pypi.org/legacy/
Uploading PyPubSub-4.0.0rc1-py3-none-any.whl
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

Other Python scripts that use SSL have the same problem, for example

  • with python setup.py bdist_wheel upload <my_package>
  • with pip install <any_package>; but there I can add --trusted-host pypi.python.org to any pip install command and the installation and downloading of dependencies will succeed

This happens on my corporate laptop whether at home or work, but it doesn't happen on my personal laptop.

To get around this, I basically tried SO answer to similar problem (ie export the certificate that twine is trying to validate -- presumably that of pypi.python.org -- and then tell twine to use it):

  1. from chrome, I went to https://pypi.pythong.org, clicked the lock next to the URL, then Details, View Certificate, Details, Copy to File. This generated a .CER file.
  2. I used SSL Converter to convert the .CER file from DER format to PEM format. This created a .CRT file.
  3. I ran twine as twine upload <my_package> --cert <path to CRT file>; this time the SSL error was SSLError: [SSL] PEM lib (_ssl.c:2846).

I then tried opting out of server certificate validation by patching c:\Python35\lib\ssl.py as described in Opting Out: I replaced the line _create_default_https_context = create_default_context by _create_default_https_context = _create_unverified_context. Re-running the twine command failed again with original CERTIFICATE_VERIFY_FAILED error.

I'm not all that familiar with certificates so I'm at a loss now what else to try.

Toastrackenigma
  • 7,604
  • 4
  • 45
  • 55
Oliver
  • 27,510
  • 9
  • 72
  • 103

1 Answers1

9

You can pass a --cert flag to tell twine which certificate to use.

twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl --cert <path-to-.pem-file>

To covert a .cer to a .pem file, do the following.

openssl x509 -inform der -in certificate.cer -out certificate.pem

The --cert flag is essential for one who uses custom ssl certs. If you're using a corporate network, the above fix should sort you out. Ask your admin for the ssl certs :)

Karanja Denis
  • 358
  • 3
  • 8
  • Thx @karanja for answer. But it seems like this confirms steps 1 to 3 of my post should have worked but maybe I didn't do step 2 correctly? – Oliver Sep 13 '17 at 08:59
  • @Schollii are you behind a corporate firewall? If so, do you have access to the https ssl certificates? You need to convert the `.cer` file into a `.pem` file. – Karanja Denis Sep 13 '17 at 11:27
  • so I need to get the https ssl certs from our IT? so it's a set of ssl certs, not just for that site that I'm having trouble with? – Oliver Sep 19 '17 at 00:13
  • @Schollii yes, just ask for the `https` cert file from your IT. I believe you already have it installed in your machine if it's custom – Karanja Denis Sep 19 '17 at 11:04
  • Thanks for answering this. I was scratching my head from last two hours on how to fix this. – conetfun Jun 25 '19 at 11:19