Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Server Install: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate #112

Open
fdcastel opened this issue May 5, 2023 · 16 comments

Comments

@fdcastel
Copy link

fdcastel commented May 5, 2023

Related #76 (now closed)

Windows Server 2022 Standard.

PS C:\Users\Administrator> py --version
Python 3.10.11

PS C:\Users\Administrator> pip --version
pip 23.1.2 from C:\Python310\lib\site-packages\pip (python 3.10)

PS C:\Users\Administrator> (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
Retrieving Poetry metadata
Traceback (most recent call last):
  File "C:\Python310\lib\urllib\request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Python310\lib\http\client.py", line 1283, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1329, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1278, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1038, in _send_output
    self.send(msg)
  File "C:\Python310\lib\http\client.py", line 976, in send
    self.connect()
  File "C:\Python310\lib\http\client.py", line 1455, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Python310\lib\ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Python310\lib\ssl.py", line 1071, in _create
    self.do_handshake()
  File "C:\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 940, in <module>
  File "<stdin>", line 919, in main
  File "<stdin>", line 516, in run
  File "<stdin>", line 775, in get_version
  File "<stdin>", line 836, in _get
  File "C:\Python310\lib\urllib\request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python310\lib\urllib\request.py", line 519, in open
    response = self._open(req, data)
  File "C:\Python310\lib\urllib\request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Python310\lib\urllib\request.py", line 496, in _call_chain
    result = func(*args)
  File "C:\Python310\lib\urllib\request.py", line 1391, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Python310\lib\urllib\request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)>

However, unlike #76, installing certifi package does not solve the problem anymore.

PS C:\Users\Administrator> pip install --upgrade certifi
Collecting certifi
  Using cached certifi-2022.12.7-py3-none-any.whl (155 kB)
Installing collected packages: certifi
Successfully installed certifi-2022.12.7
PS C:\Users\Administrator>
PS C:\Users\Administrator> (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
Retrieving Poetry metadata
Traceback (most recent call last):
  File "C:\Python310\lib\urllib\request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Python310\lib\http\client.py", line 1283, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1329, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1278, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1038, in _send_output
    self.send(msg)
  File "C:\Python310\lib\http\client.py", line 976, in send
    self.connect()
  File "C:\Python310\lib\http\client.py", line 1455, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Python310\lib\ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Python310\lib\ssl.py", line 1071, in _create
    self.do_handshake()
  File "C:\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 940, in <module>
  File "<stdin>", line 919, in main
  File "<stdin>", line 516, in run
  File "<stdin>", line 775, in get_version
  File "<stdin>", line 836, in _get
  File "C:\Python310\lib\urllib\request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python310\lib\urllib\request.py", line 519, in open
    response = self._open(req, data)
  File "C:\Python310\lib\urllib\request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Python310\lib\urllib\request.py", line 496, in _call_chain
    result = func(*args)
  File "C:\Python310\lib\urllib\request.py", line 1391, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Python310\lib\urllib\request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)>
@geminixiang
Copy link

geminixiang commented May 20, 2023

I encountered the same issue on a Mac, and I have already resolved it. However, I haven't tested it on Windows. Here is some information for your reference.

  • windows

install openssl (Win64 OpenSSL v3.1.0 Light)
https://slproweb.com/products/Win32OpenSSL.html

  • mac resolve by
sudo /Applications/Python\ 3.11/Install\ Certificates.command
  • ubuntu (Linux)
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
  • in script
import ssl

ssl._create_default_https_context = ssl._create_unverified_context

@fdcastel
Copy link
Author

Anyone from poetry team could give me a help about this problem?

If there is no intention to support Windows, please be more clear about it in the documentation.

Otherwise, could someone give some attention to this issue? (a major loss of functionality opened 3 weeks ago?)

  • Poetry now only work on machines I had installed it a long time ago.
  • I cannot install it in newer machines.
  • I cannot upgrade older installs to latest versions.

I don't know what mess Python is doing with certificates (and why it doesn't use the ones installed in the operating system). But I'm surely know this problem may be solved in 5 minutes for anyone who knows what's going on.

My machine CAN download the files. It's just the python script which does not.

@radoering
Copy link
Member

Maybe, you need pip-system-certs in your C:\Python310 environment.

@fdcastel
Copy link
Author

Thanks @radoering . Unfortunately the problem persists.

I've installed it with

PS C:\> pip install pip-system-certs
Collecting pip-system-certs
  Using cached pip_system_certs-4.0-py2.py3-none-any.whl (6.1 kB)
Requirement already satisfied: wrapt>=1.10.4 in c:\python310\lib\site-packages (from pip-system-certs) (1.15.0)
Installing collected packages: pip-system-certs
Successfully installed pip-system-certs-4.0

But poetry installer keeps giving me the same error:

PS C:\> (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
Retrieving Poetry metadata
Traceback (most recent call last):
  File "C:\Python310\lib\urllib\request.py", line 1348, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Python310\lib\http\client.py", line 1283, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1329, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1278, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python310\lib\http\client.py", line 1038, in _send_output
    self.send(msg)
  File "C:\Python310\lib\http\client.py", line 976, in send
    self.connect()
  File "C:\Python310\lib\http\client.py", line 1455, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Python310\lib\ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Python310\lib\ssl.py", line 1071, in _create
    self.do_handshake()
  File "C:\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 945, in <module>
  File "<stdin>", line 923, in main
  File "<stdin>", line 524, in run
  File "<stdin>", line 786, in get_version
  File "<stdin>", line 847, in _get
  File "C:\Python310\lib\urllib\request.py", line 216, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python310\lib\urllib\request.py", line 519, in open
    response = self._open(req, data)
  File "C:\Python310\lib\urllib\request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Python310\lib\urllib\request.py", line 496, in _call_chain
    result = func(*args)
  File "C:\Python310\lib\urllib\request.py", line 1391, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Python310\lib\urllib\request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)>

Worse. I did notice that this package affected the entire pip ability to download anything:

PS C:\> pip install numpy
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/numpy/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/numpy/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/numpy/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/numpy/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/numpy/
Could not fetch URL https://pypi.org/simple/numpy/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/numpy/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))) - skipping
ERROR: Could not find a version that satisfies the requirement numpy (from versions: none)
ERROR: No matching distribution found for numpy

PS C:\> python.exe -m pip install --upgrade pip
Requirement already satisfied: pip in c:\python310\lib\site-packages (23.1.2)
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/pip/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/pip/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/pip/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/pip/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))': /simple/pip/
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)'))) - skipping

Uninstalling pip-system-certs did solve this problem:

PS C:\> pip uninstall pip-system-certs
Found existing installation: pip-system-certs 4.0
Uninstalling pip-system-certs-4.0:
  Would remove:
    c:\python310\lib\site-packages\pip_system_certs-4.0.dist-info\*
    c:\python310\lib\site-packages\pip_system_certs.pth
    c:\python310\lib\site-packages\pip_system_certs\*
Proceed (Y/n)? y
  Successfully uninstalled pip-system-certs-4.0

PS C:\> pip install numpy
Collecting numpy
  Downloading numpy-1.24.3-cp310-cp310-win_amd64.whl (14.8 MB)
     ---------------------------------------- 14.8/14.8 MB 6.4 MB/s eta 0:00:00
Installing collected packages: numpy
Successfully installed numpy-1.24.3

PS C:\> python.exe -m pip install --upgrade pip
Requirement already satisfied: pip in c:\python310\lib\site-packages (23.1.2)

But poetry installer still gives the same error.

These tests were done in a clean VM with Windows Server 2022 Standard installed.

@fdcastel
Copy link
Author

To anyone needing this, I made a fork from installation script disabling SSL certification validation:

https://github.com/fdcastel/install-poetry

(Invoke-WebRequest -Uri https://raw.githubusercontent.com/fdcastel/install-poetry/main/install-poetry.py -UseBasicParsing).Content | py -

@dbernstein-pallidus
Copy link

Having the same problem, we cannot install poetry on new windows machines.

@rukiyeaslan
Copy link

rukiyeaslan commented Jun 28, 2023

I was facing the same problem on mac and any of the solutions I found didn't work. However, I could install it using the following command (which is also on their website):

curl -sSL https://install.python-poetry.org | python3 - --git https://github.com/python-poetry/poetry.git@master

@spoorthykakarla28
Copy link

I have the same issue with windows. Unable to install Poetry.

@alexchandel
Copy link

To anyone needing this, I made a fork from installation script disabling SSL certification validation:

https://github.com/fdcastel/install-poetry

(Invoke-WebRequest -Uri https://raw.githubusercontent.com/fdcastel/install-poetry/main/install-poetry.py -UseBasicParsing).Content | py -

Insane that this is necessary.

This issue is also related to #118.

This could be fixed with a normal installation method, instead of slurping a powerscript file from the internet.

@alexchandel
Copy link

FYI this issue would be resolved forever by #129

@Wiem657
Copy link

Wiem657 commented Sep 27, 2023

import paho.mqtt.client as mqtt
import logging
import certifi

print(certifi.where())

-MQTT broker settings
broker_address = "qa-iot.valeopaak.com"
port = 1883 # Default port for MQTT over SSL/TLS

-Paths to certificate files (replace with your own paths)
ca_cert = "../certs/iot_ca_bundled.pem" # CA certificate
client_cert = "../certs/iot_car02_crt.pem" # Client certificate
client_key = "../certs/iot_car02_key.pem" # Client private key

logging.basicConfig(level=logging.DEBUG)

-Create an MQTT client instance
client = mqtt.Client()

-Set the TLS/SSL options
client.tls_set(ca_certs=ca_cert, certfile=client_cert, keyfile=client_key)

-Define callback functions (e.g., on_connect, on_message)
def on_connect(client, userdata, flags, rc):
if rc == 0:
print("Connected to MQTT broker")
else:
print(f"Connection failed with code {rc}")

-Set the callback functions
client.on_connect = on_connect

-Connect to the MQTT broker
client.connect(broker_address, port)

-Start the MQTT client loop
client.loop_start()

runnig this script, I got this issue
PS C:\Users\whajali\Desktop\project\PyCANoe_MQTT - Copie> & "c:/Users/whajali/Desktop/project/PyCANoe_MQTT - Copie/venv/Scripts/python.exe" "c:/Users/whajali/Desktop/project/PyCANoe_MQTT - Copie/qa_broker_connection.py"
C:\Users\whajali\Desktop\project\PyCANoe_MQTT - Copie\venv\Lib\site-packages\certifi\cacert.pem
Traceback (most recent call last):
File "c:\Users\whajali\Desktop\project\PyCANoe_MQTT - Copie\qa_broker_connection.py", line 42, in
client.connect(broker_address, port)
File "C:\Users\whajali\Desktop\project\PyCANoe_MQTT - Copie\venv\Lib\site-packages\paho\mqtt\client.py", line 914, in connect
handshake()
handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unsupported certificate purpose (_ssl.c:1002)

@ling1042133624
Copy link

I encountered the same issue on a Mac, and I have already resolved it. However, I haven't tested it on Windows. Here is some information for your reference.

  • windows

install openssl (Win64 OpenSSL v3.1.0 Light)
https://slproweb.com/products/Win32OpenSSL.html

  • mac resolve by
sudo /Applications/Python\ 3.11/Install\ Certificates.command
  • ubuntu (Linux)
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
  • in script
import ssl

ssl._create_default_https_context = ssl._create_unverified_context

Not useful in ubuntu

@mattipaivikeeee
Copy link

Freshly installed Windows 10 machine and I have the same issue. Why isn't this fixed?

@fdcastel
Copy link
Author

Freshly installed Windows 10 machine and I have the same issue. Why isn't this fixed?

Maybe poetry developers don't speak English. Or they just don't like Windows. Who knows?

But, here! Take a slice:

🎂 Python Poetry Installer (for Windows) -- Anniversary Edition 🎂

@Secrus
Copy link
Member

Secrus commented May 27, 2024

Freshly installed Windows 10 machine and I have the same issue. Why isn't this fixed?

This is not fixed because there is no good fix for this issue that would be cross-platform and safe (disabling ssl is not safe). If someone will figure out how to work around this issue, we will be happy to accept a PR.

@fureunoir
Copy link

To anyone needing this, I made a fork from installation script disabling SSL certification validation:
https://github.com/fdcastel/install-poetry

(Invoke-WebRequest -Uri https://raw.githubusercontent.com/fdcastel/install-poetry/main/install-poetry.py -UseBasicParsing).Content | py -

Insane that this is necessary.

This issue is also related to #118.

This could be fixed with a normal installation method, instead of slurping a powerscript file from the internet.

Man we love you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests