brew installation of Python 3.6.1: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Asked 20/6, 2017 at 9:42 Answered 7/3 at 15:31

I installed python 3.6 using

brew install python3

and tried to download a file with six.moves.urllib.request.urlretrieve from an https, but it throws the error

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

In the Python installation (from .pkg), the README indicates that one needs to run the Install Certificates.command after the installation to

install certifi
symlink the certification path to certify path

to be able to use certificates.

However, in brew install, this file does not exist and it does not seem to be run.

Culver answered 20/6, 2017 at 9:42 Comment(4)

Executing /Applications/Python\ 3.6/Install\ Certificates.command in Terminal fixed this problem with my homebrew python3 installation. – Tega 4/2, 2019 at 15:7

Given the popularity of this question, I fielded a issue to brew. – Culver 19/7, 2019 at 22:54

export SSL_CERT_DIR=/etc/ssl/certs worked for me in Mac OS Big Sur. – Brisket 8/10, 2021 at 20:54

This comment by robo-corg points out the root of the cause. I. e., it is the missing /opt/homebrew/etc/[email protected]/cert.pem. Now on a mac, you have that file in /private/etc/ssl/. So running, ln -s /private/etc/ssl/cert.pem /opt/homebrew/etc/[email protected]/cert.pem sym links the certificate. And, that resolved the issue. – Gloucester 8/5, 2023 at 6:36

154

It seems that, for some reason, Brew has not run the Install Certificates.command that comes in the Python3 bundle for Mac. The solution to this issue is to run the following script (copied from Install Certificates.command) after brew install python3:

# install_certifi.py
#
# sample script to install or update a set of default Root Certificates
# for the ssl module.  Uses the certificates provided by the certifi package:
#       https://pypi.python.org/pypi/certifi

import os
import os.path
import ssl
import stat
import subprocess
import sys

STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
             | stat.S_IROTH |                stat.S_IXOTH )


def main():
    openssl_dir, openssl_cafile = os.path.split(
        ssl.get_default_verify_paths().openssl_cafile)

    print(" -- pip install --upgrade certifi")
    subprocess.check_call([sys.executable,
        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])

    import certifi

    # change working directory to the default SSL directory
    os.chdir(openssl_dir)
    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
    print(" -- removing any existing file or link")
    try:
        os.remove(openssl_cafile)
    except FileNotFoundError:
        pass
    print(" -- creating symlink to certifi certificate bundle")
    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
    print(" -- setting permissions")
    os.chmod(openssl_cafile, STAT_0o775)
    print(" -- update complete")

if __name__ == '__main__':
    main()

Culver answered 20/6, 2017 at 9:42 Comment(9)

What does one do, if one does not have root access / sudo rights? Thanks. – Slipslop 16/2, 2018 at 1:17

I ran the above command and it seemed to work successfully, but I am still getting the error. Any ideas on how to debug this? – Wanettawanfried 24/7, 2018 at 2:12

For reference, the source of this script is here: github.com/python/cpython/blob/master/Mac/BuildScript/resources/… – Foreyard 6/3, 2019 at 10:17

@Slipslop you will have to just run this for your own virtual environments – Harpsichord 30/9, 2019 at 5:46

I had to add import ssl; ssl._create_default_https_context = ssl._create_stdlib_context to my code for it to work. – Proctoscope 11/4, 2020 at 13:32

This post also helped with ssl errors on mac. https://mcmap.net/q/48853/-ssl-certificate_verify_failed-error-with-python3-on-macos-10-15 – Bovine 17/5, 2020 at 19:26

This was required for me to start development of my Slack App. Thank you! – Wilk 14/12, 2021 at 23:1

Thank you very much, it worked after many days of trying different solutions <3 – Dextroamphetamine 11/8, 2022 at 14:49

Had this issue on macOS Ventura 13.4. I updated certifi, copied the Install Certificates.command source and ran it, but unfortunately no dice. Rafael's suggestion was the last thing I needed. – Bergeman 6/2 at 16:40

My solution for Mac OS X:

1) Upgrade to Python 3.6.5 using the native app Python installer downloaded from the official Python language website https://www.python.org/downloads/

I've found that this installer is taking care of updating the links and symlinks for the new Python a lot better than homebrew.

2) Install a new certificate using "./Install Certificates.command" which is in the refreshed Python 3.6 directory

cd "/Applications/Python 3.6/" sudo "./Install Certificates.command"

Tailgate answered 21/4, 2018 at 8:0 Comment(6)

Thanks! Worked for me, and I'm on 3.8 (changed the command appropriately to the Python 3.8 directory). – Hyams 12/12, 2019 at 20:47

There is no Python folder in my Applications, and I could not locate it on my machine. Any ideas how can I fix the issue for my case? – Intercut 25/12, 2019 at 8:38

@Intercut - In order to know where Python is located on your computer, open the python shell typing python or python3 then import sys and print('\n'.join(sys.path)) Or you can type this command in the terminal python -c "import sys; print('\n'.join(sys.path))" – Tailgate 26/12, 2019 at 5:9

Thanks worked for me with tiny change: $ cd /Applications/Python 3.8/ $ sudo ./Install\ Certificates.command Happy Coding :) – Chao 10/4, 2021 at 13:19

After 2 dys of searching. this is what worked for me. Didn't even make it to the approved solution. – Holzer 3/2, 2022 at 23:34

Can't believe that this is still the best answer 6 years later, but it worked for me! Seems like a flaw! – Darnall 3/4 at 17:55

find out default cafile:

python -c 'import ssl; print(ssl.get_default_verify_paths().openssl_cafile)'

/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/cert.pem

sudo mkdir -p /Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/certs

find out ca file of certifi

python -c 'import certifi; print(certifi.where())'

'/usr/local/lib/python3.7/site-packages/certifi/cacert.pem'

copy to

sudo cp /usr/local/lib/python3.7/site-packages/certifi/cacert.pem
/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.7/etc/ssl/certs/cert.pem

Arty answered 18/4, 2020 at 19:0 Comment(5)

This did not work for me on a conda python environment, using conda python. I tried copying the certs in three different directories: ssl, ssl/crt, etc/ssl/certs . I have found no solution so far. – Demivolt 23/11, 2020 at 20:0

@Demivolt how did you solve this? – Robertoroberts 16/9, 2022 at 19:49

This is the correct answer to this question, awesome way to find the default cert.pem! – Snatch 17/9, 2022 at 15:54

Thank you. My work uses Zscaler and I was using a miniconda python install. This gave me the clue I needed to find the offending openssl_cafile. I copied the Zscaler root CA over /Users/xxx/miniconda3/ssl/cert.pem and my problem was solved. – Ashliashlie 27/9, 2022 at 13:10

The output from python -c 'import ssl; print(ssl.get_default_verify_paths().openssl_cafile)' was a non-existing file for me. I simply copied the file at the path from python -c 'import certifi; print(certifi.where())' to the path of the former command. The exact steps in this answer did not work for me. Using RHEL7 – Pond 13/12, 2022 at 9:2

For temporary, following will disable the ssl checking,

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

Zarger answered 14/4, 2020 at 23:59 Comment(2)

This solves the immediate problem, but is NOT RECOMMENDED: you run the risk of putting a vulnerable service into production this way. – Stopoff 6/6, 2022 at 21:36

This is a bad idea. It makes using TLS pointless. – Calumniate 29/7, 2022 at 15:57

If you need to make your local root certificate (e.g. local_RootCA.crt) become trusted by python, you can add it into the end of certifi/cacert.pem file:

cat local_RootCA.crt >> `python -c 'import certifi; print(certifi.where())'`

That solution works good for macos brew python 3 installation as well.

Charity answered 15/1, 2022 at 8:7 Comment(1)

After a day of trying different things in this and other SOF conversations, this is what worked for us. Thanks! – Pestle 29/7, 2022 at 16:5

You will not be able to find this file in Application -> Python folder.

On MAC Press Command + Space to open Spotlight Search and type 'Install Certificates.command', then execute it. This solution resolved the issue for me.

Expositor answered 7/3 at 15:31 Comment(0)

positionning SSL_CERT_FILE env var to your ca file also works and it is not invasive.

Drucie answered 7/10, 2022 at 16:29 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags