0

I am trying to get pip to work behind my work's proxy network. I have the credentials for the proxy and I have the certificate-chain files, but no matter what I do I cannot get it to stop throwing an SSL error: 

Could not fetch URL https://pypi.python.org/simple/pyinstaller/: There was a problem confirming the
ssl certificate: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645) - skipping

I've seen that pip.ini is supposed to exist in %APPDATA% but it isn't present, not even a pip folder exists there. Furthermore, people who were missing the file were able to create it and have it work that way. I tried this too and it did not work for me. I have even tried specifically specifying the cert in the pip install statement itself with --cert but with no luck.

What do I need to do?

Libra
  • 2,544
  • 1
  • 8
  • 24

1 Answers1

1

The certificates should live in Lib\site-packages\pip\_vendor\certifi\cacert.pem relative to your Python install directory. For example, if you have installed Python in C:\Python3, then the list of certificates is found in C:\Python3\Lib\site-packages\pip\_vendor\certifi\cacert.pem. If you are using a python virtual environment, it is located within the venv.

You need to append your company certifcate to this cacerm.pem file. Make sure that the company certificate is base-64 encoded (sometimes also referred to as PEM format). Then you can use a text editor to concatenate the files.

Note: If you upgrade pip, your changes to cacert.pem will likely be lost. So, be prepared to repeat this operation after each update of pip.

Adrian W
  • 4,563
  • 11
  • 38
  • 52
  • I don't have a certifi folder under \\_vendor\ – Libra Oct 15 '19 at 17:49
  • Hmm, I have 2.7, 3.5 and 3.7 installations on my machine. And indeed, that folder exists only for 3.7. I have never tried with older versions. – Adrian W Oct 15 '19 at 17:57
  • Still no dice, no certifi folder in \Python35\Lib\site-packages\ – Libra Oct 15 '19 at 18:38
  • The riddle on not existing `pip.ini` is explained [here](https://stackoverflow.com/a/28280549/2311167). So, you could create `pip.ini` from scratch and populate with a cert path as described [here](https://stackoverflow.com/a/20874741/2311167). – Adrian W Oct 16 '19 at 17:01
  • As I said in my post, I’ve tried this and haven’t had any luck – Libra Oct 16 '19 at 17:08