Certificate error while installing packages

[oittaa]

Description

Installation of every package fails, since there's a certificate error.

Expected behavior

No errors.

pip version

22.0.2

Python version

3.10.2

OS

MacOs 12.2.1

How to Reproduce

1. Every package install fails, for example pip install black

Output

$ pip install black
Collecting black
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/b5/cb/d9799d8bd5f95e36ea4a04a80a0a48c24c638734a257d3b22fa16ec9a4ac/black-22.1.0-cp310-cp310-macosx_11_0_arm64.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)')))

WARNING: You are using pip version 22.0.2; however, version 22.0.4 is available.
You should consider upgrading via the '/Users/user/workspace/temp/venv5/bin/python3.10 -m pip install --upgrade pip' command.

$ python -m pip install --upgrade pip
Requirement already satisfied: pip in ./venv5/lib/python3.10/site-packages (22.0.2)
Collecting pip
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)'))': /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl
ERROR: Could not install packages due to an OSError: HTTPSConnectionPool(host='files.pythonhosted.org', port=443): Max retries exceeded with url: /packages/4d/16/0a14ca596f30316efd412a60bdfac02a7259bf8673d4d917dc60b9a21812/pip-22.0.4-py3-none-any.whl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)')))

WARNING: You are using pip version 22.0.2; however, version 22.0.4 is available.
You should consider upgrading via the '/Users/user/workspace/temp/venv5/bin/python3.10 -m pip install --upgrade pip' command.

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[oittaa]

$ echo | openssl s_client -showcerts -servername files.pythonhosted.org -connect files.pythonhosted.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1840496897 (0x6db3c101)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = USA, L = New York, O = Optimization, OU = Optimization, CN = tomcat
        Validity
            Not Before: Aug  6 21:25:33 2019 GMT
            Not After : Aug  1 21:25:33 2039 GMT
        Subject: C = US, ST = USA, L = New York, O = Optimization, OU = Optimization, CN = tomcat
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:8b:79:29:78:05:bd:37:fd:60:86:e0:a6:19:ed:
                    df:a5:9a:e7:4d:3e:fe:7d:1f:98:f5:3a:68:24:ec:
                    20:d4:b7:b1:bf:c6:af:31:04:2c:14:35:6a:d2:8d:
                    a8:e3:82:f0:17:94:31:57:d8:61:fa:c9:7d:a2:44:
                    8d:04:af:6b:1f:94:d9:4b:a5:20:10:08:bf:d1:2d:
                    65:ee:47:a2:01:a3:9b:91:cb:85:54:dd:d1:0a:9b:
                    8b:df:05:6b:79:77:60:3e:ac:f5:fb:7a:48:7f:ab:
                    ea:f6:8a:42:ab:d7:f3:ef:48:6c:36:9e:dc:ba:d4:
                    78:bb:d5:51:fb:18:45:61:f3:ba:5c:3e:73:0f:ed:
                    2d:2d:c7:c0:38:e9:10:d9:f2:00:ef:9f:e4:7d:ff:
                    18:d4:e6:d5:87:0a:1b:cb:98:6e:09:22:70:97:ca:
                    be:2e:7c:11:bb:dd:f8:fb:7c:d8:fb:62:9f:f9:24:
                    df:fa:7b:d7:4a:3f:db:9e:df:99:d7:8c:37:fa:b4:
                    a6:f5:db:1b:89:b2:e9:e2:c2:02:55:23:a5:3d:f7:
                    f1:0b:f6:28:5d:37:2d:2a:d1:c8:40:20:07:94:0d:
                    3d:51:7a:27:58:1f:66:d9:ff:59:17:fb:9f:2d:7c:
                    93:ed:b4:81:0a:cd:6b:d0:95:ff:7b:d8:69:2c:1c:
                    75:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2D:F0:D1:C9:ED:A5:CE:8B:4C:13:AE:27:1E:24:7B:3C:3D:57:1E:7C
    Signature Algorithm: sha256WithRSAEncryption
         58:67:92:aa:86:3d:6c:72:03:c2:7e:80:6c:c2:6d:28:9b:94:
         30:58:a3:01:fc:70:92:49:ea:a3:9a:20:d9:cb:6e:42:6c:30:
         d4:57:0f:34:a9:ee:b2:9f:7c:25:1c:ed:69:87:50:1f:4b:96:
         75:9e:28:6c:b7:94:a6:6d:0c:18:4f:32:0f:19:b0:f9:45:f3:
         b8:95:d7:e0:28:99:d8:ed:7a:d8:ec:8d:fb:3d:b9:6b:66:5d:
         82:20:c2:cf:a4:22:c0:00:49:d2:3b:e0:a4:e2:d9:45:2a:e5:
         f3:d6:9f:9f:f4:fd:92:3e:e9:49:5a:02:6e:28:56:fc:d5:ac:
         dc:10:3d:7c:f0:c9:11:7f:09:3e:8c:8d:13:fc:3c:21:e8:ae:
         4c:4e:8e:5a:8d:c2:8d:45:44:8e:cd:45:9b:6f:bc:27:da:72:
         4e:f5:83:7a:33:be:9e:0e:b3:91:89:01:fc:76:92:7a:3a:d4:
         92:dc:7d:ca:a6:aa:c0:26:c1:e7:99:68:b6:3f:2f:8b:85:f4:
         53:a9:2e:3f:7d:8e:a3:2c:1f:f5:89:7a:40:2c:b9:97:92:dd:
         6e:85:9b:ab:95:e6:df:b6:38:4f:6e:03:0b:80:ec:62:bc:ce:
         3c:26:ee:51:32:76:c1:21:85:d7:8f:9e:82:93:10:67:04:bc:
         6a:1e:60:73

[notatallshaw]

I do not get the same certificate when I run that command, are you behind a proxy that unwraps and rewraps you the SSL certificate?

If so pip has some options to handle this:

• https://pip.pypa.io/en/stable/cli/pip/?highlight=cert#cmdoption-cert
• https://pip.pypa.io/en/stable/cli/pip/?highlight=trusted#cmdoption-trusted-host

[oittaa]

I haven't set up any proxies. pip worked without issues just couple of days ago. Maybe Vodafone has started doing something weird.

$ dig files.pythonhosted.org

; <<>> DiG 9.10.6 <<>> files.pythonhosted.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2549
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;files.pythonhosted.org.		IN	A

;; ANSWER SECTION:
files.pythonhosted.org.	14400	IN	CNAME	security.mac.vodafone.es.
security.mac.vodafone.es. 0	IN	A	172.29.14.144

;; Query time: 54 msec
;; SERVER: 212.166.211.4#53(212.166.211.4)
;; WHEN: Tue Mar 15 11:03:19 CET 2022
;; MSG SIZE  rcvd: 105

[oittaa]

Is that IP address one of your official mirrors?

[DanteDraconi]

I'm from Spain, have Vodafone as ISP and can't install any packages either due to the same issue.
Accessing https://files.pythonhosted.org/ through a browser shows "Vodafone Secure Net" blocking the content.
Edit: I disabled SecureNet on my ISP plan and was able to use pip normally. Maybe OP's issue is the same case.

[aramonpa]

@DanteDraconi I have Vodafone ISP too and I think that the problem is our ISP...
It doesn't appear any SecureNet error, it appears an HSTS error

[malkir]

Try checking if you have SecureNet enabled either way, and disable it, to troubleshoot if you're still having issues.

[pradyunsg]

Hi. Could someone file a network access issue over on https://github.com/pypa/pypi-support/issues/new/choose?

[aramonpa]

@DanteDraconi Like you told, was "Vodafone Secure Net". Vodafone was blocking https://files.pythonhosted.org/
I dissabled it, and now is working like a charm.

Thanks!

[pradyunsg]

/cc @ewdurbin in case they want to investigate this somehow.

[pradyunsg]

Closing this sicne there's nothing here that pip's maintainers can do.