3
  • CentOS 7 (strict requirement)
  • Python 3.11 (strict requirement)

I had to upgrage a software and it requires now Python 3.11.

I followed instructions from Internet (https://linuxstans.com/how-to-install-python-centos/), and now Python 3.11 is installed, but cannot download anything, so all the programs that have something to do with Internet, including PIP, do not work because SSL package is not installed.

The normal way to install a Python-package is to use PIP, which doesn't work because the SSL package I'm going to install is not installed.

I tried all the advices in internet, but they are all outdated and not working any more, because they are either not for the 3.11 version of Python or not for CentOS 7.

The error I'm getting when running the application software:

ModuleNotFoundError: No module named '_ssl'

When I try to install ssl with pip:

# pip install --trusted-host pypi.org ssl
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/ssl/
Could not fetch URL https://pypi.org/simple/ssl/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/ssl/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
ERROR: Could not find a version that satisfies the requirement ssl (from versions: none)
ERROR: No matching distribution found for ssl
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping

I downloaded GZip files from https://pypi.org/simple/ssl/, unpacked them locally and tried to install them from local source, but PIP insists on HTTPS connection ... stupid tool.

What to do?

Paul
  • 25,812
  • 38
  • 124
  • 247
  • https://stackoverflow.com/a/57609378/7976758 don't install that python package. https://stackoverflow.com/a/56136782/7976758 , https://stackoverflow.com/search?q=%5Bpip%5D+install+ssl – phd Aug 18 '22 at 18:27
  • Did you `yum install openssl-devel` before compilation? – phd Aug 18 '22 at 18:29
  • Try https://github.com/pyenv/pyenv Or try `build-python3.sh` script from https://github.com/noloader/Build-Scripts These programs try to download necessary requirements and compile from sources. – phd Aug 18 '22 at 18:35
  • 1
    https://github.com/pyenv/pyenv#install-additional-python-versions – phd Aug 18 '22 at 18:40
  • 1
    Use `pyenv` or `asdf` or equivalent to install Python versions (and proper virtualenvs) don't bother with trying to compile things yourself manually. – Patrick Mevzek Aug 18 '22 at 19:59
  • @PatrickMevzek `asdf-python` uses the same `python-build` scripts that `pyenv` uses. – phd Aug 18 '22 at 21:04
  • "*Should I remove the Python from altinstall before to install pyenv?*" Yes. Or run `pyenv install --force` – phd Aug 18 '22 at 21:05
  • Alas https://stackoverflow.com/a/17201432/7976758 – phd Aug 18 '22 at 21:13
  • You're combatting a very strict and incompatible requirements. Please take my sympathy! – phd Aug 18 '22 at 21:31

3 Answers3

15

How to get PIP and other HTTPS-based Python programs to work after upgrading to Python 3.11:

First of all: you don't necessarily need any magical tools like pyenv. May be pyenv would do these steps, but I'd like to understand what is happening. (Ok, I admit that make is also a "magic" tool)

Briefly describing: during compilation of Python from source code there is an option to inject OpenSSL support directly into it.

In CentOS 7 Python 2.7.5 is installed by default and couldn't be updated to the later ones using built-in package manager. Python 3.6.8 is the latest version available in the CentOS 7 repos. 3.6 also couldn't be updated to the later ones using the package manager.

So the only possible solution is to compile Python from source code.

  • Update your yum packages, reboot, install all the packages neccesssary to run OpenSSL and Python.
  • Download the latest OpenSSL source code, unpack and compile.
  • Download the latest Python source code, unpack, configure to use the compiled OpenSSL and compile with altinstall parameter. Do not remove previous Python versions! You will have more problems than benefits. I had to revert virtual machine to the latest snapshot several times, because I destroyed something completely.

Update and install yum packages

> yum update
> yum install openssl-devel bzip2-devel libffi-devel

An article suggests also to install some "Development Tools"

> yum groupinstall "Development Tools"

but this step failed for me and I was able to finish the installation without it.

Download the latest OpenSSL source code, unpack and compile

I've choosen /usr/src directory to do the manipulations with source code.

Download

> cd /usr/src
> wget https://ftp.openssl.org/source/openssl-1.1.1q.tar.gz --no-check-certificate

Unpack

> tar -xzvf openssl-1.1.1q.tar.gz
> cd openssl-1.1.1q

Compile

> ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
> make

Run tests for the compiled OpenSSL

> make test

Install

> make install

Check that OpenSSL is installed

> openssl version
OpenSSL 1.1.1q  5 Jul 2022
> which openssl
/usr/bin/openssl

Download and compile Python

Download

> cd /usr/src
> wget https://www.python.org/ftp/python/3.11.0/Python-3.11.0a4.tgz

Unpack

> tar -xzf Python-3.11.0a4.tgz
> cd Python-3.11.0a4

Configure

> ./configure --enable-optimizations --with-openssl=/usr

It is important that the --with-openssl option has the same value as the --prefix option when you configured OpenSSL above!!!

Compile and install (It's time for a cup of coffee - it takes time)

> make altinstall

Checking that Python 3.11 is installed:

> python3.11 -V
Python 3.11.0a4

If you have set symbolic links, then Python 3.11 should be callable by "python3" and/or "python" aliases

> python3 -V
Python 3.11.0a4
> python -V
Python 3.11.0a4

Also check that PIP is working and that symlink-aliases for it are there.

Now it's time to check that your Python-based programs are working. Some of them should be installed again by PIP, because they were installed in subdirectories of previous Python versions.

After doing these manipulations I also got SSL certificates error:

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:998)>

After running

> pip3 install certifi

the problem is gone.

Paul
  • 25,812
  • 38
  • 124
  • 247
  • This really fixed my issue. It seems from Python3.10 the install requires OpenSSL 1.1.1 (https://peps.python.org/pep-0644/) – Haran Feb 15 '23 at 07:00
  • @Haran: glad to hear it. I literally suffered through the path to this solution. – Paul Feb 16 '23 at 10:40
  • Hey guys, if you upvote this answer .... The question is also from me. – Paul Jul 14 '23 at 08:42
1

Paul's solution didn't fully work for me. I had to manually set:

python -c "import certifi; print(certifi.where())"
export SSL_CERT_FILE=/path/to/cacert.pem

After this I got it working.

QuinRiva
  • 679
  • 1
  • 7
  • 14
-1

If you get an error at the make test stage, then it helped me

yum install cpan

then

"cpan -i Text :: Template"

and

"cpan -f -i Text :: Template"
InSync
  • 4,851
  • 4
  • 8
  • 30
alaniel
  • 1
  • I edited your answer to remove distractions. If you want to thank someone, upvote their answer (you'll need at least 15 reputations to do this). – InSync May 07 '23 at 19:06