SSL certificates are not configured

[benoit-pierre]

The documentation should mention that SSL certificates are not configured (the equivalent of calling /Applications/Python 3.6/Install Certificates.command after a regular install). pip will still work fine, since it uses its own vendored-in copy of certifi, but standard library calls to urlopen and the like may fail.

[gregneagle]

Is there a simple fix for this issue? Can we do whatever /Applications/Python 3.6/Install Certificates.command does after a "regular" install?

[benoit-pierre]

I just bypass the issue by setting the SSL_CERT_FILE environment variable (e.g. to the output of python -m pip._vendor.certifi or python -m certifi).

For reference this is the contents of the Python 3.8 script:

#!/bin/sh

/Library/Frameworks/Python.framework/Versions/3.8/bin/python3.8 << "EOF"

# install_certifi.py
#
# sample script to install or update a set of default Root Certificates
# for the ssl module.  Uses the certificates provided by the certifi package:
#       https://pypi.org/project/certifi/

import os
import os.path
import ssl
import stat
import subprocess
import sys

STAT_0o775 = ( stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR
             | stat.S_IRGRP | stat.S_IWGRP | stat.S_IXGRP
             | stat.S_IROTH |                stat.S_IXOTH )

def main():
    openssl_dir, openssl_cafile = os.path.split(
        ssl.get_default_verify_paths().openssl_cafile)

    print(" -- pip install --upgrade certifi")
    subprocess.check_call([sys.executable,
        "-E", "-s", "-m", "pip", "install", "--upgrade", "certifi"])

    import certifi

    # change working directory to the default SSL directory
    os.chdir(openssl_dir)
    relpath_to_certifi_cafile = os.path.relpath(certifi.where())
    print(" -- removing any existing file or link")
    try:
        os.remove(openssl_cafile)
    except FileNotFoundError:
        pass
    print(" -- creating symlink to certifi certificate bundle")
    os.symlink(relpath_to_certifi_cafile, openssl_cafile)
    print(" -- setting permissions")
    os.chmod(openssl_cafile, STAT_0o775)
    print(" -- update complete")

if __name__ == '__main__':
    main()
EOF

[erikng]

so it looks like there may be another issue to solve here

managed_python3
Python 3.9.10 (v3.9.10:f2f3f53782, Jan 13 2022, 16:55:46)
[Clang 13.0.0 (clang-1300.0.29.30)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> import ssl
>>> import certifi
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl/certs')

>>> openssl_dir, openssl_cafile = os.path.split(ssl.get_default_verify_paths().openssl_cafile)

>>> openssl_dir, openssl_cafile
('/Library/Frameworks/Python.framework/Versions/3.9/etc/openssl', 'cert.pem')

>>> certifi.where()
'/Library/ManagedFrameworks/Python/Python3.framework/Versions/3.9/lib/python3.9/site-packages/certifi/cacert.pem'

certifi seems to get the right path, but ssl functions are pulling the non relocatable path :/

[erikng]

hm,

ls -la /Library/ManagedFrameworks/Python/Python3.framework/Versions/3.9/etc/openssl
total 0
drwxr-xr-x  2 root  wheel  64 Feb  8 16:48 .
drwxr-xr-x  3 root  wheel  96 Feb  8 16:48 ..

This implies that when openssl is pip installed it installs to the wrong path