MacOS Python3 TlS Certificate Verify Failed - Unable to Get Local Issuer Certificate [SOLVED]
Contents
Issue
After an upgrade to Sonoma and it’s changes to OpenSSL Poetry started having issues with pypi.org.
❯ poetry install
Updating dependencies
Resolving dependencies... (7.8s)
HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/plotly/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
❯ python --version
Python 3.12.1
❯ pip install flask
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)'))) - skipping
Root Cause
Python can’t find correct OpenSSL library.
Solution
In essense we need to make sure Python has OpenSSL in order. Here’s what might help:
1. Install Certificates for MacOS Python
If you are using native MacOS Python try running Install Certificates.command
open /Applications/Python\ 3.12/Install\ Certificates.command
pip install --upgrade certifi
2. Reinstall with --enable optimizations (pyenv)
brew uninstall --ignore-dependencies openssl@1.1
env CONFIGURE_OPTS='--enable-optimizations' pyenv install 3.12
brew install openssl@1.1
3. Reinstall ca-certificates and openssl and pass openssl path (pyenv)
brew reinstall ca-certificates openssl
CONFIGURE_OPTS="--with-openssl=$(brew --prefix openssl)" \
CFLAGS="-I$(brew --prefix openssl)/include" LDFLAGS="-L$(brew --prefix openssl)/lib" \
pyenv install 3.11
4. Alias pyenv command to a command with preconfigured OpenSSL prefixes (pyenv)
alias pyenv='CFLAGS="-I$(brew --prefix openssl)/include" LDFLAGS="-L$(brew --prefix openssl)/lib" pyenv'
Another thing to check:
Double check you don’t run any proxy (like proxyman) that might have a broken TLS.
I found out that I had REQUESTS_CA_BUNDLE pointing to my proxyman proxy certificate. I removed it and it finally worked.
Links:
- https://github.com/pyenv/pyenv/issues/2805
- https://github.com/pyenv/pyenv/issues/993
- https://stackoverflow.com/questions/40684543/how-to-make-python-use-ca-certificates-from-mac-os-truststore
- https://github.com/pyenv/pyenv/wiki/Common-build-problems#error-the-python-ssl-extension-was-not-compiled-missing-the-openssl-lib
- https://github.com/pyenv/pyenv/issues/2805#issuecomment-1743536437
- https://mail.python.org/pipermail/python-announce-list/2018-April/011885.html
- https://apple.stackexchange.com/questions/431193/catalina-and-pyenv-install-python-versions-fine-but-anything-needing-ssl-fails
Second Head Post
This is a post from Second Head. So please, don’t expect too much.