Home > Uncategorized > Add a CA certificate to openssl ca-bundle and pip problems

Add a CA certificate to openssl ca-bundle and pip problems

I have an HTTPS proxy in place that uses a self-contained intermediate CA.

When using `pip` to install a python egg, I was receiving the following error:

SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Add a CA to a certificate bundle:
Your ca-bundle.crt maybe be located in another directory.

cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak
openssl x509 -text -in untrusted_cacert.cer >> /etc/pki/tls/certs/ca-bundle.crt
openssl verify -CAfile /etc/pki/tls/certsca-bundle.crt untrusted-intermediateca.cer
# should result in "OK"
openssl s_client -showcerts -connect pypi.python.org:443
# should see "Verify return code: 0 (ok)" in resultant

Add a CA to be trusted by pip:
I had to run `strace` on `pip install` to see what it was referencing, as I was still getting the above error.

cp /usr/local/lib/python2.7/site-packages/pip/cacert.pem /usr/local/lib/python2.7/site-packages/pip/cacert.pem.bak
openssl x509 -text -in untrusted_cacert.cer >> /usr/local/lib/python2.7/site-packages/pip/cacert.pem
pip-2.7 -v install matplotlib -v

Problem solved.

Advertisements
Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: