Goal: I'm on RedHat 5 and trying to install the latest python and django for a web app.
I successfully altinstalled python27 and easy_install, and wget with openssl.
Problem: However now that I try to get anything from pypi.python.org I get the following error:
$ sudo easy_install --verbose django
Searching for django
Reading https://pypi.python.org/simple/django/
Download error on https://pypi.python.org/simple/django/: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found!
Couldn't find index page for 'django' (maybe misspelled?)
Scanning index of all packages (this may take a while)
Reading https://pypi.python.org/simple/
Download error on https://pypi.python.org/simple/: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed -- Some packages may not be found!
No local packages or download links found for django
error: Could not find suitable distribution for Requirement.parse('django')
I tried looking up the certificate of pypi.python.org with openssl s_client -showcert -connect but don't know what to do with it, where to store it. Not much info on google, need expert help.
Thank you!
edit: I meant wget* with openssl.
$ wget http://ftp.gnu.org/gnu/wget/wget-1.15.tar.gz
$ tar -xzf wget-1.15.tar.gz
$ cd wget-1.15
$ ./configure --with-ssl=openssl
$ make
$ sudo make install
I can't get wget to pull the page either:
$ wget https://pypi.python.org/simple/django/
--2014-01-21 11:18:45-- https://pypi.python.org/simple/django/
Resolving pypi.python.org (pypi.python.org)... 199.27.73.185, 199.27.74.184
Connecting to pypi.python.org (pypi.python.org)|199.27.73.185|:443... connected.
ERROR: cannot verify pypi.python.org's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3’:
Unable to locally verify the issuer's authority.
To connect to pypi.python.org insecurely, use `--no-check-certificate'.
your curl cert is too old try to download new curl cert:
sudo wget http://curl.haxx.se/ca/cacert.pem -O /etc/pki/tls/certs/ca-bundle.crt
I found this page after looking for a solution to this problem. In case someone else has similar problem, the solution I found is:
At the start of the setuptools/ssl_support.py file (which is used by easy_install, and is inside the egg file: "./lib/python2.7/site-packages/setuptools-3.5.1-py2.7.egg"), the certificate bundles files are hard-coded in "cert_paths" variable:
cert_paths = """
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/usr/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root.crt
...etc..
"""
"easy_install" will use the first file that exists from this list, as it calls "find_ca_bundle". If certificates in this cert bundle file are out of date, then easy_install will fail with this SSL error. So need to either update the certificate file or change the "cert_paths" in this ssl_support.py file, to point to a local upto date certs bundle file.
I have seen this problem in a specific environment: Mac OS X with macports, installing packages in user's local path. The solution was to install the certificates from curl:
port install curl-ca-bundle
Btw, until you don't have the ceritificates, most of the port, easy_install and pip commands will fail because the ssl error.
Try installing pip to do python package installation instead.
You can find the documentation to quick install it and use it here. It's generally a lot better than easy_install.
It also uses SSL by default, and with Requests' certificate stack (derived from mozilla).
You can also find a lot of information on working with python packages in general on the Python Packaging User Guide.
来源:https://stackoverflow.com/questions/21265616/python-easy-install-fails-with-ssl-certificate-error-for-all-packages