What is the SSL Certificate Error in pip?
When you run pip install and encounter an SSL certificate error, pip is telling you that it cannot verify the identity of the Python Package Index (PyPI) server or the package repository you are trying to connect to. This verification is performed using SSL/TLS certificates, which are part of the secure HTTPS protocol that pip uses by default to download packages.
The error occurs because the certificate chain presented by the server cannot be validated against the Certificate Authority (CA) bundle that pip (and the underlying urllib3 or requests library) uses to establish trust. Without a valid certificate chain, pip refuses to proceed with the download to protect you from potential man-in-the-middle attacks.
Typical Error Messages You'll See
Depending on your Python version, operating system, and the exact nature of the failure, you may encounter one of these variations:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Could not fetch URL https://pypi.org/simple/pip/:
There was a problem confirming the ssl certificate:
HTTPSConnectionPool(host='pypi.org', port=443):
Max retries exceeded with url: /simple/pip/
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))
Root Causes of SSL Certificate Failures
- Missing CA certificates in the system: On minimal Linux installations, Docker containers, or custom-built Python environments, the CA certificate bundle may not be present at all.
- Outdated Python or pip versions: Older Python builds (especially Python 3.4 and 3.5 on macOS) shipped with an incomplete or expired CA bundle.
- Corporate proxy or firewall interception: Enterprise networks often use a self-signed certificate to inspect HTTPS traffic. This certificate is not trusted by the public CA bundle that pip uses.
- Incorrect system time: An inaccurate system clock can cause valid certificates to appear expired, triggering verification failures.
- Virtual environments with isolated system paths: Some virtual environment tools don't properly inherit the system CA certificate paths.
- Using a custom Python build: Python compiled from source may not link against the system's SSL libraries correctly.
Why Fixing This Matters
🚀 Deploy your AI agent in 10 minutes
Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.
Try it free →SSL certificate verification is not just an annoying roadblock — it is a critical security feature. When pip verifies certificates, it ensures that:
- The server you're connecting to is genuinely PyPI (or your configured package index), not a malicious impostor.
- The data you're downloading has not been tampered with during transit.
- Your development environment remains secure from supply-chain attacks that could inject malware into packages.
Simply disabling SSL verification globally (e.g., with --trusted-host or environment variables) exposes you to significant risk. The goal is to fix the root cause so that verification works correctly while maintaining security. Every professional Python developer should understand how to resolve these errors properly rather than resorting to insecure workarounds.
How to Fix pip SSL Certificate Errors
Below are comprehensive solutions, ordered from most recommended to least secure. Apply the solution that matches your specific root cause.
Solution 1: Upgrade pip, setuptools, and certifi
The simplest fix in many cases is upgrading pip itself and its certificate dependencies. An outdated pip may carry an expired CA bundle inside its vendored certifi library.
# First, try upgrading pip using the built-in bootstrap mechanism
python -m pip install --upgrade pip --no-build-isolation
# Then upgrade setuptools and wheel
python -m pip install --upgrade setuptools wheel
# Finally, upgrade certifi (the certificate bundle package)
python -m pip install --upgrade certifi
If pip itself refuses to connect due to SSL, you can use the get-pip.py bootstrap script with a temporary insecure flag:
# Download get-pip.py using curl (bypassing Python's SSL check temporarily)
curl -O https://bootstrap.pypa.io/get-pip.py
# Install pip using the downloaded script, which will then have the latest CA bundle
python get-pip.py
# Now upgrade normally
python -m pip install --upgrade pip certifi
Solution 2: Install Missing CA Certificates (Linux / macOS)
On minimal Linux installations (Debian/Ubuntu minimal, Alpine, Docker slim images) or older macOS systems, the operating system CA certificate store may be missing or not linked to Python.
Debian / Ubuntu:
# Install the ca-certificates package
sudo apt-get update
sudo apt-get install -y ca-certificates
# Verify the CA bundle exists
ls -la /etc/ssl/certs/ca-certificates.crt
CentOS / RHEL / Fedora:
# Install the CA certificate bundle
sudo yum install -y ca-certificates
# or on newer Fedora:
sudo dnf install -y ca-certificates
# Update the certificate trust store
sudo update-ca-trust
Alpine Linux (Docker containers):
# Alpine uses apk and a slightly different package
apk add --no-cache ca-certificates
# If Python still can't find them, symlink the bundle
ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem
macOS:
# For Python installed via the official installer from python.org,
# run the "Install Certificates" script bundled in the Python application folder
/Applications/Python\ 3.x/Install\ Certificates.command
# Replace "3.x" with your Python version, e.g., 3.11
# For Homebrew-installed Python, ensure OpenSSL is linked:
brew install openssl
brew reinstall python@3.11
Solution 3: Configure pip with the Correct Certificate Bundle Path
If the CA certificates are installed but Python or pip cannot locate them, you can explicitly point pip to the certificate bundle using its configuration file.
# Locate the CA bundle on your system (common locations)
# Linux:
# /etc/ssl/certs/ca-certificates.crt
# /etc/pki/tls/certs/ca-bundle.crt
# macOS:
# /etc/ssl/cert.pem (after running Install Certificates.command)
# Set the certificate path in pip's configuration
pip config set global.cert /etc/ssl/certs/ca-certificates.crt
# Or manually edit/create pip.conf (Linux: ~/.config/pip/pip.conf, macOS: ~/Library/Application Support/pip/pip.conf)
# Add the following:
[global]
cert = /etc/ssl/certs/ca-certificates.crt
You can also pass the certificate path directly on the command line for a one-off fix:
pip install --cert /etc/ssl/certs/ca-certificates.crt package-name
Solution 4: Use pip's Trusted Host Option (Temporary / Controlled Environments)
This approach tells pip to skip SSL certificate verification for specific hosts. It should only be used temporarily or in fully trusted, isolated environments (such as air-gapped internal networks).
# Install a package skipping SSL verification for pypi.org
pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org package-name
# Or set it permanently in pip.conf (use with extreme caution)
[global]
trusted-host = pypi.org
pypi.python.org
files.pythonhosted.org
Warning: This completely disables SSL verification for those hosts. Anyone able to intercept your network traffic could serve you malicious packages. Only use this in sandboxed environments.
Solution 5: Set SSL Environment Variables for Python
Python's SSL module respects several environment variables that can help you control certificate behavior:
# Point Python to the correct CA bundle
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# On macOS with the certifi package, you can use:
export SSL_CERT_FILE=$(python -m certifi)
# To make these permanent, add them to your shell profile (~/.bashrc, ~/.zshrc):
echo 'export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt' >> ~/.bashrc
echo 'export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> ~/.bashrc
source ~/.bashrc
You can verify Python's SSL configuration with a quick script:
# Check which CA bundle Python is using
python -c "import certifi; print(certifi.where())"
# Test an HTTPS connection
python -c "import urllib.request; print(urllib.request.urlopen('https://pypi.org').read()[:100])"
Solution 6: Add a Corporate / Self-Signed Certificate to the Trust Store
In enterprise environments, your organization may operate a TLS inspection proxy that issues its own certificate. You need to add that corporate CA certificate to the trust store that Python uses.
# Step 1: Obtain the corporate CA certificate (usually a .pem or .crt file)
# Your IT department typically provides this — save it as corporate-ca.pem
# Step 2: Append it to the existing CA bundle
# Option A: Append to system bundle
sudo cat corporate-ca.pem >> /etc/ssl/certs/ca-certificates.crt
# Option B: Create a combined bundle and point pip at it
cat /etc/ssl/certs/ca-certificates.crt corporate-ca.pem > ~/combined-ca-bundle.pem
pip config set global.cert ~/combined-ca-bundle.pem
# Step 3: Verify it works
python -c "import urllib.request; print(urllib.request.urlopen('https://pypi.org').read()[:50])"
For Python environments using the certifi package, you can append to certifi's bundle:
# Find certifi's bundle location
CERTIFI_BUNDLE=$(python -c "import certifi; print(certifi.where())")
# Append your corporate CA
sudo cat corporate-ca.pem >> "$CERTIFI_BUNDLE"
# Set the environment variable so all tools pick it up
export SSL_CERT_FILE="$CERTIFI_BUNDLE"
Best Practices to Prevent SSL Certificate Issues
- Keep Python and pip updated: Run
python -m pip install --upgrade pip setuptools wheel certifiregularly as part of your environment maintenance routine. - Use official Python distributions: Whenever possible, install Python from python.org, your operating system's package manager, or trusted tools like
pyenvrather than compiling from source unless you fully understand the SSL linking process. - Maintain accurate system time: Ensure NTP synchronization is active. A clock skew of even a few minutes can cause certificate validity checks to fail. Run
timedatectl statuson Linux or check your Docker container's time settings. - In Docker containers, always install ca-certificates: Add
ca-certificatesto your Dockerfile's package installation step. For Alpine images, includeapk add --no-cache ca-certificatesin every Python-based Dockerfile. - Use pip's configuration file for persistent settings: Instead of relying on environment variables that may not propagate to all shells or contexts, use
pip config setto persist certificate paths in pip's configuration. - Document corporate certificate requirements: If your team operates behind a TLS inspection proxy, document the steps to add the corporate CA in your project's README or onboarding guide. Provide the combined bundle as part of your developer environment setup scripts.
- Test SSL connectivity in your CI/CD pipeline: Include a step that runs
python -c "import urllib.request; urllib.request.urlopen('https://pypi.org')"to catch SSL issues early, before they block a critical build. - Avoid disabling SSL verification globally: Never set
trusted-hostorCURL_CA_BUNDLE=""as a permanent global configuration. If you must bypass verification, do so with explicit flags on a per-command basis and remove them immediately after resolving the underlying issue.
Conclusion
SSL certificate errors when running pip install are a common but entirely solvable problem. The root cause almost always boils down to Python being unable to locate or trust the Certificate Authority bundle it needs to verify PyPI's identity. By systematically working through the solutions above — starting with simple upgrades, moving through system certificate installation, and only resorting to less secure options in controlled environments — you can restore secure package installation without compromising your development workflow. Remember that each solution targets a specific root cause: outdated pip, missing system certificates, corporate proxies, or misconfigured paths. Diagnose first, then apply the fix that matches your situation. Keeping your Python toolchain updated and your system's certificate store healthy will prevent most of these errors from occurring in the first place.