Conda update fails with SSL error CERTIFICATE_VERIFY_FAILED
CondaConda Problem Overview
I have a problem with conda update. Specifically, I tried doing
conda update <package>
, and I got the following error:
Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.
bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2
The full output of the command was the following:
conda update bokeh Fetching package metadata: SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) . Solving package specifications: . Package plan for installation in environment //anaconda:
The following packages will be downloaded:
package | build
---------------------------|-----------------
decorator-4.0.2 | py27_0 11 KB
ipython_genutils-0.1.0 | py27_0 32 KB
path.py-8.1.1 | py27_0 45 KB
pexpect-3.3 | py27_0 60 KB
pickleshare-0.5 | py27_0 8 KB
simplegeneric-0.8.1 | py27_0 6 KB
traitlets-4.0.0 | py27_0 88 KB
ipython-4.0.0 | py27_0 916 KB
jinja2-2.8 | py27_0 263 KB
tornado-4.2.1 | py27_0 515 KB
bokeh-0.9.3 | np19py27_0 14.3 MB
------------------------------------------------------------
Total: 16.2 MB
The following NEW packages will be INSTALLED:
ipython_genutils: 0.1.0-py27_0
path.py: 8.1.1-py27_0
pexpect: 3.3-py27_0
pickleshare: 0.5-py27_0
simplegeneric: 0.8.1-py27_0
traitlets: 4.0.0-py27_0
The following packages will be UPDATED:
bokeh: 0.9.0-np19py27_0 --> 0.9.3-np19py27_0
decorator: 3.4.2-py27_0 --> 4.0.2-py27_0
ipython: 3.2.0-py27_0 --> 4.0.0-py27_0
jinja2: 2.7.3-py27_1 --> 2.8-py27_0
tornado: 4.2-py27_0 --> 4.2.1-py27_0
Proceed ([y]/n)? y
Fetching packages ... Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2
dendisuhubdy:finalproject dendisuhubdy$ brew link --force openssl Linking /usr/local/Cellar/openssl/1.0.2d_1... 1548 symlinks created dendisuhubdy:finalproject dendisuhubdy$ conda update bokeh Fetching package metadata: SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) .SSL verification error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) . Solving package specifications: . Package plan for installation in environment //anaconda:
The following packages will be downloaded:
package | build
---------------------------|-----------------
decorator-4.0.2 | py27_0 11 KB
ipython_genutils-0.1.0 | py27_0 32 KB
path.py-8.1.1 | py27_0 45 KB
pexpect-3.3 | py27_0 60 KB
pickleshare-0.5 | py27_0 8 KB
simplegeneric-0.8.1 | py27_0 6 KB
traitlets-4.0.0 | py27_0 88 KB
ipython-4.0.0 | py27_0 916 KB
jinja2-2.8 | py27_0 263 KB
tornado-4.2.1 | py27_0 515 KB
bokeh-0.9.3 | np19py27_0 14.3 MB
------------------------------------------------------------
Total: 16.2 MB
The following NEW packages will be INSTALLED:
ipython_genutils: 0.1.0-py27_0
path.py: 8.1.1-py27_0
pexpect: 3.3-py27_0
pickleshare: 0.5-py27_0
simplegeneric: 0.8.1-py27_0
traitlets: 4.0.0-py27_0
The following packages will be UPDATED:
bokeh: 0.9.0-np19py27_0 --> 0.9.3-np19py27_0
decorator: 3.4.2-py27_0 --> 4.0.2-py27_0
ipython: 3.2.0-py27_0 --> 4.0.0-py27_0
jinja2: 2.7.3-py27_1 --> 2.8-py27_0
tornado: 4.2-py27_0 --> 4.2.1-py27_0
Proceed ([y]/n)? y
Fetching packages ... Could not connect to https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2 Error: Connection error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590): https://repo.continuum.io/pkgs/free/osx-64/decorator-4.0.2-py27_0.tar.bz2
Please advise: what should I do to overcome this error?
Conda Solutions
Solution 1 - Conda
Conda needs to know where to find you SSL certificate store.
conda config --set ssl_verify <pathToYourFile>.crt
No need to disable SSL verification.
This command add a line to your $HOME/.condarc file or %USERPROFILE%\.condarc file on Windows that looks like:
ssl_verify: <pathToYourFile>.crt
If you leave your organization's network, you can just comment out that line in .condarc with a # and uncomment when you return.
If it still doesn't work, make sure that you are using the latest version of curl, checking both the conda-forge and anaconda channels.
Solution 2 - Conda
Please note that the following solution is not secure. See: https://conda.io/projects/conda/en/latest/user-guide/configuration/disable-ssl-verification.html
according to @jreback here https://github.com/conda/conda/issues/1166
conda config --set ssl_verify false
will turn off this feature, e.g. here
Solution 3 - Conda
This seemed to do the trick for me:
conda remove certifi
conda install certifi
Then you can do whatever you were trying to do before, e.g.
conda update --all
Solution 4 - Conda
I faced the same problem on Mac OS X and with Miniconda. After trying many of the proposed solutions for hours I found that I needed to correctly set Condas environment – specifically requests environment variable – to use the Root certificate that my company provided rather than the generic ones that Conda provides.
Here is how I solved it:
- Open Chrome, go to any website, click on the lock icon on the left of the URL. Click on «Certificate» on the dropdown. In the next window you see a stack of certificates. The uppermost (aka top line in window) is the root certificate (e.g. Zscaler Root CA in my case, yours will very likely be a different one).
- Open Mac OS keychain, click on «Certificates» and choose among the many certificates the root certificate that you just identified. Export this to any folder of your choosing.
- Convert this certificate with openssl:
openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem - For a quick check set your shell to acknowledge the certificate:
export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem - To set this permanently open your shell profile (
.bshrsor e.g..zshrc) and add this line:export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem. Now exit your terminal/shell and reopen. Check again.
You should be set and Conda should work fine.
Solution 5 - Conda
For those of us on corporate networks using web filters that implement trusted man in the middle SSL solutions, it is necessary to add the web-filter certificate to the certifi cacert.pem.
A guide to doing this is here.
Main steps are:
- connect to https site with browser
- view and save root certificate
- convert cert to .pem
- copy and paste onto end of existing cacert.pem
- save
- SSL happiness
Solution 6 - Conda
For everyone struggling with this issue, you simply need to upgrade your openssl installation. I'm running windows 10, installed the latest anaconda 64-bit and am getting this error when I try to install/upgrade anything with 'conda' or 'pip'. If I uninstall the 64-bit anaconda and install the 32-bit, it works fine. I had a 64-bit version of openssl for windows installed, version 1.1.0 something. I uninstalled that and installed the latest I could find from here: https://slproweb.com/products/Win32OpenSSL.html -- there is a 64-bit version of 1.1.1 on there that worked. Now I can install packages via pip and conda successfully. Hope this helps.
Solution 7 - Conda
That SSL error is misleading. I am using Anaconda 3, conda version 4.6.11, have the most current version of openssl on a Windows 10 instance. I got the issue resolved by changing the security settings on the Anaconda3 folder to Full Control. Don't think this helped, but I also have modified the ..\Anaconda3\Lib\site-packages\certifi\cacert.pem file to include the company's SSL cert.
Hope this info helps you.
Solution 8 - Conda
New poster unable to comment yet - but here's an additional option and clarification if you have a non-default trusted SSL certificate, such as when using corporate internet monitoring software like ZScaler.
Assuming you have a new trusted.pem file, you may need to append this trusted.pem to the certificate at the path python -m certifi, AND, set this concatenated .pem file to the REQUESTS_CA_BUNDLE variable.
It may not work if you only set REQUESTS_CA_BUNDLE to trusted.pem.
Tested on Windows 10. Related variables are AWS_CA_BUNDLE, SSL_CERT_FILE, and CURL_CA_BUNDLE, though these need to be set to trusted.pem only on your local, not to the concatenated version.
For whatever reason, inside a Dockerfile, these ENV variables need to be the concatenated .pem file (after relevant COPY commands of course)
Solution 9 - Conda
After 2 hrs of net surfing Finally For me the problem was fixed by creating a folder pip, with a file: pip.ini in C:\Users<username>\AppData\Roaming\ e.g:
C:\Users\<username>\AppData\Roaming\pip\pip.ini
Inside it I wrote:
[global]
trusted-host = pypi.python.org
pypi.org
files.pythonhosted.org
I restarted python, and then pip permanently trusted these sites, and used them to download packages from.
If you can't find the AppData Folder on windows, write %appdata% in file explorer and it should appear.
Solution 10 - Conda
The following worked for me: (MAC)
- Use homebrew to install openssl1.1 certs
brew install openssl@1.1
- Add the installed certs to an env variable with:
export REQUESTS_CA_BUNDLE='/usr/local/etc/[email protected]/cert.pem'
- To persist your env variable to anaconda, first activate the relevant environment, then execute:
conda env config vars set export REQUESTS_CA_BUNDLE='/usr/local/etc/[email protected]/cert.pem'