1

At work we have a MITM SSL root certificate for all web traffic. I've gotten pip to work by creating a pip.ini file and adding the cert=\path\to\cert.pem option to it. However, now it only works when I'm at work, and fails to download when I'm anywhere else. Is there any way to add the root certificate to the available list of root certs rather than replacing them? Or some other way to have pip work easily no matter which network I'm on?

askvictor
  • 3,621
  • 4
  • 32
  • 45
  • How is this related to python? – zvone Sep 01 '18 at 09:12
  • 1
    @zvone: pip is the python package manager. – askvictor Sep 01 '18 at 09:32
  • Possible duplicate of [pip: cert failed, but curl works](https://stackoverflow.com/questions/19377045/pip-cert-failed-but-curl-works) – phd Sep 01 '18 at 15:26
  • @phd not quite the same problem; I'm looking for how best to have pip working both inside and outside my work network. One of the answers in the linked post does propose concatenating system certs to the mitm which might work, but I'm looking if there are more elegant solutions. – askvictor Sep 01 '18 at 22:55

1 Answers1

0

Lets figure out why it does succeed at the office and what goes wrong elsewhere.

I suspect the config succeeds at work because you are within a VPN and the VPN is insisting on the certificate file in order to allow pip communication. There are other ways beside the pip.ini file to make the certificate available.

Please report this. When you leave work, does pip succeed if you move pip.ini out of the way? Most likely answer is to change the way you are using the certificate.

There are some posts to study. The approach you use is emphasized in first two:

https://superuser.com/questions/665069/can-i-get-around-using-pip-install-cert pip: cert failed, but curl works

The alternative solution is to add your cert to the cert bundle. There is an excellent thread about this:

How to add a custom CA Root certificate to the CA Store used by pip in Windows?

In there, look for the part about creating a cert bundle: https://stackoverflow.com/a/52961564/1086346

I believe that if you do that, then the cert will be available if pip needs it at your office, but it will not be in the way when you are elsewhere.

Good luck, let us know what happens.

pauljohn32
  • 2,079
  • 21
  • 28