Login/Register
python SSL certificate validation fails on some distribution commands
Asked Answered
pythoncertificatewindows-firewalltwine
P

1

12

I'm trying to upload a Python file to PyPi via twine upload <file> but I get an SSL error: 

C:\pypubsub>twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl
Uploading distributions to https://upload.pypi.org/legacy/
Uploading PyPubSub-4.0.0rc1-py3-none-any.whl
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

Other Python scripts that use SSL have the same problem, for example

  • with python setup.py bdist_wheel upload <my_package>
  • with pip install <any_package>; but there I can add --trusted-host pypi.python.org to any pip install command and the installation and downloading of dependencies will succeed

This happens on my corporate laptop whether at home or work, but it doesn't happen on my personal laptop.

To get around this, I basically tried SO answer to similar problem (ie export the certificate that twine is trying to validate -- presumably that of pypi.python.org -- and then tell twine to use it):

  1. from chrome, I went to https://pypi.pythong.org, clicked the lock next to the URL, then Details, View Certificate, Details, Copy to File. This generated a .CER file.
  2. I used SSL Converter to convert the .CER file from DER format to PEM format. This created a .CRT file.
  3. I ran twine as twine upload <my_package> --cert <path to CRT file>; this time the SSL error was SSLError: [SSL] PEM lib (_ssl.c:2846).

I then tried opting out of server certificate validation by patching c:\Python35\lib\ssl.py as described in Opting Out: I replaced the line _create_default_https_context = create_default_context by _create_default_https_context = _create_unverified_context. Re-running the twine command failed again with original CERTIFICATE_VERIFY_FAILED error.

I'm not all that familiar with certificates so I'm at a loss now what else to try.

Paynter answered 11/10, 2016 at 5:15 Comment(0)
A
10

You can pass a --cert flag to tell twine which certificate to use.

twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl --cert <path-to-.pem-file>

To covert a .cer to a .pem file, do the following.

openssl x509 -inform der -in certificate.cer -out certificate.pem

The --cert flag is essential for one who uses custom ssl certs. If you're using a corporate network, the above fix should sort you out. Ask your admin for the ssl certs :)

Accoucheur answered 11/9, 2017 at 11:41 Comment(5)
Thx @karanja for answer. But it seems like this confirms steps 1 to 3 of my post should have worked but maybe I didn't do step 2 correctly?Paynter
@Schollii are you behind a corporate firewall? If so, do you have access to the https ssl certificates? You need to convert the .cer file into a .pem file.Accoucheur
so I need to get the https ssl certs from our IT? so it's a set of ssl certs, not just for that site that I'm having trouble with?Paynter
@Schollii yes, just ask for the https cert file from your IT. I believe you already have it installed in your machine if it's customAccoucheur
Thanks for answering this. I was scratching my head from last two hours on how to fix this.Orphism

© 2022 - 2024 — McMap. All rights reserved.