Keywords: pip | SSL certificate verification | macOS | Python | certifi
Abstract: This article provides a comprehensive analysis of SSL certificate verification failures encountered when using pip to install Python packages on macOS systems. By examining the root causes, the article identifies the discontinuation of OpenSSL packages by Apple as the primary issue and presents the installation of the certifi package as the core solution. Additional methods such as using the --trusted-host option, configuring pip.ini files, and switching to HTTP instead of HTTPS are also discussed to help developers fully understand and resolve this common problem.
Problem Background and Error Analysis
When using pip to install Python packages, particularly on macOS systems, developers frequently encounter SSL certificate verification failures. This issue typically manifests as error messages similar to [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749). From a technical perspective, this error indicates that Python's SSL module cannot verify the certificate of the PyPI server, resulting in a failed secure connection establishment.
In macOS systems, this problem has specific historical context. Earlier versions of macOS provided OpenSSL packages, but in subsequent versions, Apple discontinued providing these packages in favor of its own security framework. This change causes Python's SSL verification mechanism to malfunction in certain scenarios, especially when using pip to download packages from PyPI.
Core Solution: Installing the certifi Package
Based on the best answer analysis, the most effective solution is to install the certifi package. certifi is a Python package that provides Mozilla's CA certificate bundle, which is widely trusted and can be used to verify SSL connections.
Here are the specific steps to resolve the issue:
First, install the certifi package:
pip install certifiOr for Python 3 users:
pip3 install certifiAfter installation, retry installing the target package:
pip install Scrapy
The principle behind this method is that the certifi package provides a complete, up-to-date CA certificate chain that Python's SSL module can use to verify the SSL certificates of PyPI servers. Once certifi is installed, Python automatically uses these certificates, thereby resolving the certificate verification failure.
Supplementary Solutions and In-depth Analysis
Using the --trusted-host Option
Another common solution is to use the --trusted-host option. This method instructs pip to skip SSL certificate verification for specified hosts:
pip install --trusted-host pypi.python.org ScrapyFor more complex environments, particularly when using HTTPS-intercepting proxies, multiple trusted hosts may need to be added:
pip install --trusted-host pypi.python.org --trusted-host pypi.org --trusted-host files.pythonhosted.org ScrapyIt's important to note that while this method solves the problem, it reduces security by bypassing SSL certificate verification. It is recommended only in trusted network environments.
Configuring the pip.ini File
For users who frequently use pip, trusted hosts can be permanently set in the pip configuration file. Create or edit ~/.pip/pip.conf (Linux/macOS) or %APPDATA%\pip\pip.ini (Windows) and add the following content:
[global]
trusted-host = pypi.python.org
pypi.org
files.pythonhosted.orgWith this configuration, all pip commands will automatically use these trusted host settings.
Using HTTP Instead of HTTPS
In certain special cases, you can try using HTTP instead of HTTPS to connect to PyPI:
pip install --index-url=http://pypi.python.org/simple/ --trusted-host pypi.python.org ScrapyThis method also carries security risks since HTTP connections are not encrypted and data may be intercepted or tampered with. It is recommended only as a temporary solution when SSL issues cannot be resolved.
Debugging and Diagnosis
When encountering SSL problems, you can use the pip -v install command to obtain detailed debugging information:
pip -v install ScrapyThis command displays all hosts and URLs that pip attempts to connect to, helping identify which hosts need to be added to the trusted host list.
Technical Principles Deep Dive
To deeply understand this issue, it's essential to grasp the basic principles of SSL/TLS certificate verification. When a client (such as pip) connects to a server (such as PyPI), the server provides its SSL certificate. The client needs to verify this certificate:
- Whether the certificate is issued by a trusted Certificate Authority (CA)
- Whether the certificate is within its validity period
- Whether the domain name in the certificate matches the accessed domain name
In macOS systems, Python typically uses the system's certificate store for verification. When the system no longer provides the necessary OpenSSL packages, Python may be unable to find appropriate CA certificates to verify PyPI's certificate, leading to verification failure.
Installing the certifi package resolves this issue because it provides an independent, complete CA certificate bundle. Python's ssl module can load these certificates to verify SSL connections.
Best Practice Recommendations
Based on the above analysis, we recommend the following best practices:
Preferred Solution: Install the certifi package. This is the safest and most standard solution, maintaining the integrity of SSL verification.
Temporary Solution: In development environments, if a quick fix is needed, the
--trusted-hostoption can be used, but security risks should be considered.Enterprise Environments: In corporate networks using HTTPS-intercepting proxies, collaborate with network administrators to obtain the correct proxy certificates and add them to the system's certificate store.
Continuous Maintenance: Regularly update the certifi package to ensure the use of the latest CA certificates.
By understanding the principles and applicable scenarios of these solutions, developers can choose the most appropriate resolution for their specific environment, ensuring the security and reliability of Python package management.