Keywords: Conda | SSL Certificate Verification | CERTIFICATE_VERIFY_FAILED
Abstract: This technical article provides an in-depth analysis of SSL certificate verification failures encountered during Conda package manager updates, with particular focus on the CERTIFICATE_VERIFY_FAILED error. Based on official documentation and community best practices, the article presents comprehensive solutions through ssl_verify parameter configuration while emphasizing security considerations and alternative approaches. Step-by-step guidance helps users modify configuration files and utilize environment variables to permanently resolve this common technical obstacle.
Problem Background and Error Analysis
When using Conda for package management, users frequently encounter SSL certificate verification failures, specifically manifested as CERTIFICATE_VERIFY_FAILED errors. These errors typically occur in enterprise network environments or specific system configurations, where Conda cannot validate the legitimacy of server SSL certificates when attempting to download packages via HTTPS from remote repositories.
Root Cause Analysis
The fundamental cause of SSL certificate verification failure lies in the inability of Conda's underlying network libraries (such as requests) to properly validate the certificate chain of target servers. This can result from various factors: enterprise firewall man-in-the-middle certificate interception, incomplete system certificate stores, or network proxy configuration issues. In the provided case, the error specifically points to _ssl.c:590, indicating the problem occurs at the Python SSL module level.
Primary Solution
According to Conda official documentation and community best practices, the most direct solution involves configuring the ssl_verify parameter. While complete SSL verification disablement is possible, this introduces significant security risks and is not recommended for production environments.
conda config --set ssl_verify falseThis command adds corresponding settings to the user's .condarc configuration file, but special attention must be paid to security warnings: disabling SSL verification makes the system vulnerable to man-in-the-middle attacks.
Secure Alternative Approaches
For environments requiring maintained security, certificate configuration is recommended. The issue can be resolved by specifying custom certificate files:
conda config --set ssl_verify /path/to/certificate.crtThis approach resolves connectivity issues while maintaining HTTPS connection security. Users can obtain appropriate certificate files from system certificate stores or enterprise IT departments.
Configuration File Persistence
Settings made using the conda config command are automatically saved to the $HOME/.condarc file (Linux/Mac) or %USERPROFILE%\.condarc file (Windows). This configuration is persistent and will affect all subsequent Conda operations.
Environment Variable Solutions
As a temporary solution, certificate verification issues can be bypassed by setting environment variables:
export REQUESTS_CA_BUNDLE=/path/to/certificate.pemThis method only affects the current session without modifying system configuration, making it suitable for temporary testing and debugging.
Best Practice Recommendations
When handling SSL certificate issues, follow these best practices: prioritize certificate configuration over complete verification disablement; regularly update Conda and system certificate stores; collaborate with IT departments in enterprise environments to obtain proper certificate configurations. These measures ensure both connectivity resolution and system security maintenance.