Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

SSL digest errors (on OSX and windows) #829

Closed
tba-apps opened this Issue · 59 comments
@tba-apps

OSX and Windows users on pythons linked to an older openssl version (e.g. "OpenSSL 0.9.7l 28 Sep 2006" on OSX and "OpenSSL 0.9.8k 25 Mar 2009" on windows) get an error like the following when pip installs from pypi.

ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

to determine your openssl version, run python -c "import ssl; print ssl.OPENSSL_VERSION"

there are currently no plans to offer a fix for this other than to recommend people to use a python that is linked to a more recent version of openssl.

@jezdez
Owner

Can you paste the full log /Users/tba/.pip/pip.log please?

@flyingfrog81

Same error here on OSX 10.6.8 . Seems to be SSL related.

@flyingfrog81

here's the full log:

------------------------------------------------------------
/Library/Frameworks/Python.framework/Versions/Current/bin/pip run on Fri Mar  8 12:44:05 2013
Downloading/unpacking cato

  Getting page https://pypi.python.org/simple/cato/
  Could not fetch URL https://pypi.python.org/simple/cato/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/cato/ when looking for download links for cato

  Getting page https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/ when looking for download links for cato

  Cannot fetch index base URL https://pypi.python.org/simple/

  URLs to search for versions for cato:
  * https://pypi.python.org/simple/cato/
  Getting page https://pypi.python.org/simple/cato/
  Could not fetch URL https://pypi.python.org/simple/cato/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/cato/ when looking for download links for cato

  Could not find any downloads that satisfy the requirement cato

No distributions at all found for cato

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1026, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/index.py", line 171, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for cato
@dstufft
Owner

Can you run with -v so we get the actual SSL error?

@qwcode
Owner

there's no more info to be had with -v.
(if you're in github, scroll over to the right)

here's the detail:
<urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

just noticed vinay has some extra logic related to ssl versioning in distlib (@vsajip)
maybe we need that?

https://bitbucket.org/vinay.sajip/distlib/src/a7da9a0641fd96f1a75480206998b6a874467727/distlib/util.py?at=default#cl-1156

@dstufft
Owner

Oops missed that.

What version of openssl? (python -c "import ssl; print ssl.OPENSSL_VERSION").

@qwcode
Owner

fwiw, on a mac that's not failing: OpenSSL 0.9.8r 8 Feb 2011

@qwcode
Owner

to be clear, distlib's extra logic is related to python version and ssl protocol version.
this issue just may require an openssl client library upgrade (or recompile) for certain OSX users.

@dstufft
Owner

SSL v2 is known to be insecure, pretty sure PyPI itself disables it but for non PyPI indexes it might be useful for pip to do the same.

Shouldn't be related to the issue at hand though.

@qwcode
Owner

opened #832 regarding @dstufft comment about restricting the ssl protocol version

@tba-apps

@dstufft Here is my openssl version:

tba:~$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 0.9.7l 28 Sep 2006

Here is the output with -v:

tba:~$ pip install -Uv pip
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Cannot fetch index base URL https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Could not find any downloads that satisfy the requirement pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Downloading/unpacking pip
No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Storing complete log in /Users/tba/.pip/pip.log

Here is the complete log:

tba:~$ cat ~/.pip/pip.log
------------------------------------------------------------
/Library/Frameworks/Python.framework/Versions/2.7/bin/pip run on Fri Mar  8 10:55:12 2013
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Cannot fetch index base URL https://pypi.python.org/simple/

URLs to search for versions for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg:
* https://pypi.python.org/simple/pip/
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Could not find any downloads that satisfy the requirement pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Downloading/unpacking pip

No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

tba:~$ 
@qwcode
Owner

@tba-apps I don't know much about the OSX macport, homebrew stuff, but can you try an openssl upgrade?

@ulyssesv

I was using ActivePython 2.7.2.5 and getting the same error. I switched to a fully brew distribution and now it's working. It doesn't solve the bug, but solved my problem...

brew update
brew install openssl
brew install python --with-brewed-openssl
brew linkapps

And set these vars:

PATH=$(brew --prefix)/share/python:$(brew --prefix)/share/python/bin:$(brew --prefix)/share/python/sbin:$PATH
PYTHONPATH=$(brew --prefix)/lib/python2.7/site-packages:$PYTHONPATH

Check your pip path with which pip, it must be the one in /usr/local/share/python.

Then:

pip install --upgrade distribute
pip install --upgrade pip

Now I'm able to use pip again.

@dstufft
Owner

I wonder if this is an ActivePython issue then.

@ulyssesv

Probably. Before this setup Python was linked against OpenSSL 0.9.7l 28 Sep 2006 and now it's OpenSSL 1.0.1c 10 May 2012.

I wasn't able to test against the native Mac OS Python though.

@matino

Same problem here on Windows 7 with Python 2.7.3 while trying to install any package... I found this problem after upgrading to pip 1.3.1...

@pnasrat
Owner

@matino please can you include a log or a link to a gist of a log produced with a run with -v.

@matino

Hi, here it is (result of pip install -Uv django) https://gist.github.com/matino/5143458

@pnasrat
Owner

So your error is

/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>
@matino

I can see that the problem may be with the network. On my company network I get the error, but when I switch to 3g it works...
1.2.1 works as expected on both networks though...

@qwcode
Owner

btw, our automated testing for windows includes py27 on 2008 server.
http://jenkins.qwcode.com/job/pip_win_27/

@tduskin

I get this same error when I try to use the pip generated when I set up a virtualenv, but natively, pip works fine. My OpenSSL version is also OpenSSL 0.9.7l 28 Sep 2006.

@qwcode
Owner

@tduskin, is your global pip actually an older version that doesn't use SSL?
run pip --version

@tduskin

I'm using pip 1.3.1.

pip 1.3.1 from /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages (python 2.7)

@tba-apps

Switching to brew Python as mentioned by @ulyssesv fixed the issue for me.

@tduskin

Upgrading to Python 2.7.3 (available from http://www.python.org/download/releases/2.7.3/) solved this issue for me. I am now able to use pip in my virtualenv.

@douglatornell

I'm seeing this same issue on OS/X 10.8.2 with Python 2.6.6.

The Python build is the OS/X framework one from python.org
/Library/Frameworks/Python.framework/Versions/2.6/bin/python2.6

The OpenSSL version is OpenSSL 0.9.8r 8 Feb 2011

In my case this is happening in a tox run that tests the package under 2.6, 2.7, 3.2, and 3.3. The failure only happens under 2.6, and only started happening yesterday after I upgraded virtualenv and pip in the environment to:

$ virtualenv --version
1.9.1

and

$ pip --version
pip 1.3.1 from /Users/doug/.virtualenvs/blogofile-dev-3.2/lib/python3.2/site-packages (python 3.2)

pip log from the failure:

------------------------------------------------------------
../bin/pip run on Fri Mar 15 21:03:40 2013
Unpacking /Users/doug/.tox/distshare/Blogofile-0.8b1.zip

  Running setup.py egg_info for package from file:///Users/doug/.tox/distshare/Blogofile-0.8b1.zip

    running egg_info
    creating pip-egg-info/Blogofile.egg-info
    writing requirements to pip-egg-info/Blogofile.egg-info/requires.txt
    writing pip-egg-info/Blogofile.egg-info/PKG-INFO
    writing top-level names to pip-egg-info/Blogofile.egg-info/top_level.txt
    writing dependency_links to pip-egg-info/Blogofile.egg-info/dependency_links.txt
    writing entry points to pip-egg-info/Blogofile.egg-info/entry_points.txt
    writing manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
    warning: manifest_maker: standard file '-c' not found
    reading manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    writing manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
  Source in /var/folders/4x/5r9809nn4dg6jql9768bm6dc0000gn/T/pip-dLVbFI-build has version 0.8b1, which satisfies requirement Blogofile==0.8b1 from file:///Users/doug/.tox/distshare/Blogofile-0.8b1.zip
Downloading/unpacking discover

  Getting page https://pypi.python.org/simple/discover/
  Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/discover/ when looking for download links for discover

  Getting page https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/ when looking for download links for discover

  Cannot fetch index base URL https://pypi.python.org/simple/

  URLs to search for versions for discover:
  * https://pypi.python.org/simple/discover/
  Getting page https://pypi.python.org/simple/discover/
  Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/discover/ when looking for download links for discover

  Could not find any downloads that satisfy the requirement discover

No distributions at all found for discover

Exception information:
Traceback (most recent call last):
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/req.py", line 1026, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/index.py", line 171, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for discover
@rasky

The error is:

Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: 
<urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown 
message digest algorithm>

But PyPI certificate (which is *.python.org) uses SHA1 as message digest. It's weird that anything would not support it, even if a few years old.

I tried reproducing it with this setup:

  • OSX 10.8.2
  • OpenSSL 0.9.8r 8 Feb 2011 (default from Apple)
  • Python 2.6.7 (default from Apple)
  • Virtualenv 1.9.1
  • pip 1.3.1

And I cannot reproduce it. If I created a virtualenv with Python 2.6 (using virtualenv -p python2.6), and then run pip to install any package, it is able to correctly connect to PyPI and download it without any SSL warning.

It looks like the only difference is that you're using Python 2.6 from python.org. Can you please try whether using the system Python 2.6 fixes it?

@dougalsutherland

For what it's worth, I'm seeing the same error on

  • OSX 10.8.3
  • default Apple OpenSSL
  • Virtualenv 1.9.1
  • pip 1.3.1

when I use the Python 2.7.3 that comes in EPD 7.3-2 in a virtualenv. I don't see the error using that same python outside of a virtualenv or using the system python 2.7.2.

@olivierverdier

Same problem here, without virtualenv.

My setting is a vanilla install from EPD. The steps to reproduce the error, on Mac OS X 10.8.2 are

  • Install EPD 7.3
  • easy_install pip
  • pip install --upgrade ipython

You will get the same error as everyone else:

/Library/Frameworks/Python.framework/Versions/7.3/bin/pip run on Wed Mar 20 10:58:59 2013
Getting page https://pypi.python.org/simple/ipython/
Could not fetch URL https://pypi.python.org/simple/ipython/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ipython/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Cannot fetch index base URL https://pypi.python.org/simple/

URLs to search for versions for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages:
* https://pypi.python.org/simple/ipython/
Getting page https://pypi.python.org/simple/ipython/
Could not fetch URL https://pypi.python.org/simple/ipython/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ipython/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Could not find any downloads that satisfy the requirement ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Downloading/unpacking ipython

No distributions at all found for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages
@olivierverdier

For what it's worth, my problem was asked, and fixed, on SO: http://stackoverflow.com/questions/15441224/can-i-relink-enthought-python-to-new-version-of-openssl-on-mac-os-x

The solution is simply to downgrade pip with

easy_install pip==1.2.1
@douglatornell

@rasky I tried with a virtualenv based on the OS/X 10.8.2 system Python 2.6.7 as you requested, and I get the same result that you do - pip 1.3.1 installs packages without difficulty.

So, it would seem that the problem lies in the linkage of the installed OpenSSL library to the python.org Python 2.6.6 framework.

@davethecipo

I have the same problem (no virtualenv) on archlinux ARM (running on the raspberry py). pip version: 1.3.1

@jasonkeene

I have the same issue on python 2.6.6 OSX 10.6.8. Upgraded pip/distribute. Going to try reinstalling 2.6 and see if it fixes.

@hivelocity

Downgrading to an older version of pip was the only thing I found that solved this. Did pypi change their certs or something?

@qwcode
Owner

@hivelocity ssl cert support is new in pip-1.3.1. many osx users have fixed this by getting to a python distribution that's linked against a newer openssl lib.

@mbarczak

Same problem on pip 1.3.1(python 2.7.3) in Tomato enable router . Solved by downgrading pip to 1.2.1.

@dubois

FWIW, I am seeing this on a windows machine. Python 2.6.2, virtualenv 1.9.1 (which installs pip 1.3.1)

@qwcode
Owner

@dubois , can you report the text of your ssl error, also python -c "import ssl; print ssl.OPENSSL_VERSION" , thanks.

@dubois
Could not fetch URL https://pypi.python.org/simple/South/: There was a problem confirming the ssl certificate:
<urlopen error [Errno 1] _ssl.c:480: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm>

I forgot to mention earlier that the failing computer uses ActivePython 2.6.2.2, not a stock python.org build. OPENSSL_VERSION is a 2.7 feature, but "strings _ssl.pyd" shows "OpenSSL 0.9.8k 25 Mar 2009".

Additionally, I can confirm that (in Win32) upgrading to ActivePython 2.6.7.20 fixes the problem. Its_ssl.pyd uses OpenSSL 0.9.8r 8 Feb 2011. I believe ActiveState is a little more aggressive about updating OpenSSL in their builds, so YMMV if using a python.org build.

@qwcode
Owner

thanks @dubois. just updated the description to more relevant to OSX and windows users.

@jefreybulla

@olivierverdier I tried different solutions proposed in this page, but yours was the one that work for me. I had to downgrade Pip:

easy_install pip==1.2.1

@tash88

Hi, I would like to download nltk package for python and always get an error message saying that there is a problem confirming the ssl certificate. I'd really appreciate it if you could recommend me a solution to my problem :) here is the log:

Last login: Sun Apr 21 12:52:49 on ttys000
macbook-macbook-demo-2:~ MacBookDemo$ python -V
Python 2.7.4
macbook-macbook-demo-2:~ MacBookDemo$ sudo sh /Users/MacBookDemo/Downloads/setuptools-0.6c11-py2.7.egg
Password:
NProcessing setuptools-0.6c11-py2.7.egg
Removing /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg
Copying setuptools-0.6c11-py2.7.egg to /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages
setuptools 0.6c11 is already the active version in easy-install.pth
Installing easy_install script to /Library/Frameworks/Python.framework/Versions/2.7/bin
Installing easy_install-2.7 script to /Library/Frameworks/Python.framework/Versions/2.7/bin

Installed /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg
Processing dependencies for setuptools==0.6c11
Finished processing dependencies for setuptools==0.6c11
macbook-macbook-demo-2:~ MacBookDemo$
macbook-macbook-demo-2:~ MacBookDemo$ sudo easy_install pip
Searching for pip
Best match: pip 1.3.1
Processing pip-1.3.1-py2.7.egg
pip 1.3.1 is already the active version in easy-install.pth
Installing pip script to /Library/Frameworks/Python.framework/Versions/2.7/bin
Installing pip-2.7 script to /Library/Frameworks/Python.framework/Versions/2.7/bin

Using /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
macbook-macbook-demo-2:~ MacBookDemo$ sudo pip install -U numpy
Downloading/unpacking numpy
Could not fetch URL https://pypi.python.org/simple/numpy/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/numpy/ when looking for download links for numpy
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/ when looking for download links for numpy
Cannot fetch index base URL https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/numpy/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/numpy/ when looking for download links for numpy
Could not find any downloads that satisfy the requirement numpy
No distributions at all found for numpy
Storing complete log in /Users/MacBookDemo/.pip/pip.log
macbook-macbook-demo-2:~ MacBookDemo$ sudo pip install -U pyyaml nltk
Downloading/unpacking pyyaml
Could not fetch URL https://pypi.python.org/simple/pyyaml/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/pyyaml/ when looking for download links for pyyaml
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/ when looking for download links for pyyaml
Cannot fetch index base URL https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/pyyaml/: There was a problem confirming the ssl certificate:
Will skip URL https://pypi.python.org/simple/pyyaml/ when looking for download links for pyyaml
Could not find any downloads that satisfy the requirement pyyaml
No distributions at all found for pyyaml
Storing complete log in /Users/MacBookDemo/.pip/pip.log
macbook-macbook-demo-2:~ MacBookDemo$

@JacquesBBB

I had the same problem with pip on a Beagle Bone Black
with

root@beaglebone:~# cat /proc/version
Linux version 3.8.13 (koen@rrMBP) (gcc version 4.7.3 20130205 (prerelease) (Linaro GCC 4.7-2013.02-01) ) #1 SMP Mon May 13 08:43:47 CEST 2013

root@beaglebone:~# pip --version
pip 1.3.1 from /usr/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg (python 2.7)

pip install pyFirmata
Downloading/unpacking pyFirmata
Could not fetch URL https://pypi.python.org/simple/pyFirmata/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_C

The problem was solved by downgrading to
root@beaglebone:~# pip --version
pip 1.2.1 from /usr/lib/python2.7/site-packages/pip-1.2.1-py2.7.egg (python 2.7)

Hope it will be solved in new versions.

Thanks for the help.

Jacques

@qwcode
Owner

@JacquesBBB at this time, there are no plans to make in changes in pip for this.
from the description: "there are currently no plans to offer a fix for this other than to recommend people to use a python that is linked to a more recent version of openssl."

@yassersouri

@qwcode I just downgraded my pip from 1.3.1 to 1.2.1 to fix this issue.

I think it should check my version of openssl linked to python when I install pip.

@dannystaple

This applies also to FC 17 too - on Linux. I have downgraded to 1.2.1. Perhaps 1.3.1 should no longer be recommended until this is fixed - it afflicts more than one of the boxes I work with.

@dstufft
Owner

Downgrading to pip 1.2 means you're downloading packages with zero authentication and then executing the code inside of them. I hope for your sake your computer is never on a malicious network because it's absolutely trivial for an attacker to pwn your box if you're using 1.2.

If this is affecting boxes you're working with it is imperative that you install using pip 1.3+. Doing otherwise is highly insecure.

@dannystaple

Which linux distro's and mac sidekick distro's actually have a compliant Python 2.7.x binary in them? I can understand the need for security - but right now it is effectively broken for people who aren't downloading the build tools and recompiling their own python. It may seem lazy not to want to do so - but I've not needed to merely to use pip packaging before.

@dstufft
Owner

It works fine with Homebew Python on OSX and Ubuntu 12.04 LTS. I don't have other distributions handy to take a look to build some compatibility matrix. I don't mean to be dismissive but if the distribution you're using provides a openssl that doesn't work with SSL certs w/ sha1 they are shipping an insecure openssl afaik. Using MD5 digests for SSL certificates are vulnerable to collision attacks.

@dstufft
Owner

I'm going to close this ticket. There's no actionable item here. People with old versions of openssl that don't support sha1 SSL certificates need to upgrade or else they are insecure. If they wish to be insecure they can continue using pip 1.2.

@dstufft dstufft closed this
@asmeurer asmeurer referenced this issue in ContinuumIO/anaconda-issues
Closed

Python needs to link to newer openssl #54

@matthew-brett matthew-brett referenced this issue from a commit in nipy/nibotmi
@matthew-brett matthew-brett RF: remove python 2.6 mpkg build
Python 2.6 binary installer on OSX now appears to be too old to use up-to-date
pip for installing - it gives SSL certificate errors:

pypa/pip#829

Remove Python 2.6 OSX binary builders.
f6b48f0
@pedroteixeira

This issue still happens.. even trying to access a https url with a valid ssl certificate, even with the new openssl version:

python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.0.1e 11 Feb 2013

Not really sure what's causing:

connection error: [Errno 1] _ssl.c:509: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
@Ivoz
Owner

@pedroteixeira could you open a new issue with information on your OS, python, and url you were trying to download? It seems a different OpenSSL issue than the original issue.

@pedroteixeira

it happens when using a wildcard ssl certificate + simple nginx index -- buts it's probably not a pip issue. I'll try to troubleshoot it better before posting.

@kyledmoore

I have this issue and in my case I'm fairly certain it's due to my company's proxy (all HTTPS traffic is routed through it). I'd guess this is the same deal with many others who are unaware of such a proxy MIM setup. I need to add my co's root CA cert to whatever cert store python uses, but I'm new to Python and am unsure how this is done.

I added the pem data to C:\Python34\Lib\site-packages\pip_vendor\requests\cacert.pem, but no go. I guess i'll decode the installer bin, extract it and see what args I might be able to pass in to disable validation or retrieve the libs from another (local) location.

EDIT: N/M, found bootstrap below base64 blob and saw reference to PIP_CERT env var. I ran get-pip again using alternate pem and did not get the error, although, the output suggested it installed successfully in the prior runs:

Requirement already up-to-date: pip in c:\python34\lib\site-packages
Cleaning up...

@matthew-brett matthew-brett referenced this issue from a commit in python-pillow/pillow-wheels
@matthew-brett matthew-brett RF: remove 2.6 build
2.6 build hit a problem with old pip and SSL:
pypa/pip#829

Rather than struggle through, just remove that build.
6919d6d
@adamjmendoza

This issue still happens with the latest version of python and pip on Windows 8.1.

C:\Windows\system32>python -V
Python 3.4.1

C:\Windows\system32>pip --version
pip 1.5.6 from C:\Python34\lib\site-packages (python 3.4)

C:\Windows\system32>


C:\Windows\system32>pip install ssl
Downloading/unpacking ssl
  Cannot fetch index base URL https://pypi.python.org/simple/
  Could not find any downloads that satisfy the requirement ssl
Cleaning up...
No distributions at all found for ssl
Storing debug log for failure in C:\Users\adam\pip\pip.log

C:\Windows\system32>
@Ivoz
Owner

@adamjmendoza any detailed notes on what your actual error is?

@adamjmendoza

@Ivoz ,
This is the error log. I tried with pymongo and ssl.

------------------------------------------------------------
C:\Python34\Scripts\pip run on 07/11/14 11:30:44
Downloading/unpacking ssl
  Getting page https://pypi.python.org/simple/ssl/
  Could not fetch URL https://pypi.python.org/simple/ssl/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
  Will skip URL https://pypi.python.org/simple/ssl/ when looking for download links for ssl
  Getting page https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
  Will skip URL https://pypi.python.org/simple/ when looking for download links for ssl
  Cannot fetch index base URL https://pypi.python.org/simple/
  URLs to search for versions for ssl:
  * https://pypi.python.org/simple/ssl/
  Getting page https://pypi.python.org/simple/ssl/
  Could not fetch URL https://pypi.python.org/simple/ssl/: connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)
  Will skip URL https://pypi.python.org/simple/ssl/ when looking for download links for ssl
  Could not find any downloads that satisfy the requirement ssl
Cleaning up...
  Removing temporary dir C:\Users\adam\AppData\Local\Temp\pip_build_adam...
No distributions at all found for ssl
Exception information:
Traceback (most recent call last):
  File "C:\Python34\lib\site-packages\pip\basecommand.py", line 122, in main
    status = self.run(options, args)
  File "C:\Python34\lib\site-packages\pip\commands\install.py", line 278, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "C:\Python34\lib\site-packages\pip\req.py", line 1177, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "C:\Python34\lib\site-packages\pip\index.py", line 277, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
pip.exceptions.DistributionNotFound: No distributions at all found for ssl
@coddingtonbear coddingtonbear referenced this issue in coddingtonbear/python-myfitnesspal
Closed

SSL error #5

@AnneTheAgile

@adamjmendoza , what happens when you try to update python? In my case [1] it was a point version that was off, eg I had 2.7 but the version of 2.7 was not sufficient.
@Ivoz , thank you for the heads up!
AnneTheAgile
[1] zonca/pytest-ipynb#1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.