SSL digest errors (on OSX and windows)

tba-apps commented 11 years ago

OSX and Windows users on pythons linked to an older openssl version (e.g. "OpenSSL 0.9.7l 28 Sep 2006" on OSX and "OpenSSL 0.9.8k 25 Mar 2009" on windows) get an error like the following when pip installs from pypi.

ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

to determine your openssl version, run python -c "import ssl; print ssl.OPENSSL_VERSION"

there are currently no plans to offer a fix for this other than to recommend people to use a python that is linked to a more recent version of openssl.

jezdez commented 11 years ago

Can you paste the full log /Users/tba/.pip/pip.log please?

flyingfrog81 commented 11 years ago

Same error here on OSX 10.6.8 . Seems to be SSL related.

flyingfrog81 commented 11 years ago

here's the full log:

------------------------------------------------------------
/Library/Frameworks/Python.framework/Versions/Current/bin/pip run on Fri Mar  8 12:44:05 2013
Downloading/unpacking cato

  Getting page https://pypi.python.org/simple/cato/
  Could not fetch URL https://pypi.python.org/simple/cato/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/cato/ when looking for download links for cato

  Getting page https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/ when looking for download links for cato

  Cannot fetch index base URL https://pypi.python.org/simple/

  URLs to search for versions for cato:
  * https://pypi.python.org/simple/cato/
  Getting page https://pypi.python.org/simple/cato/
  Could not fetch URL https://pypi.python.org/simple/cato/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/cato/ when looking for download links for cato

  Could not find any downloads that satisfy the requirement cato

No distributions at all found for cato

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1026, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/index.py", line 171, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for cato

dstufft commented 11 years ago

Can you run with -v so we get the actual SSL error?

qwcode commented 11 years ago

there's no more info to be had with -v. (if you're in github, scroll over to the right)

here's the detail: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

just noticed vinay has some extra logic related to ssl versioning in distlib (@vsajip) maybe we need that?

https://bitbucket.org/vinay.sajip/distlib/src/a7da9a0641fd96f1a75480206998b6a874467727/distlib/util.py?at=default#cl-1156

dstufft commented 11 years ago

Oops missed that.

What version of openssl? (python -c "import ssl; print ssl.OPENSSL_VERSION").

qwcode commented 11 years ago

fwiw, on a mac that's not failing: OpenSSL 0.9.8r 8 Feb 2011

qwcode commented 11 years ago

to be clear, distlib's extra logic is related to python version and ssl protocol version. this issue just may require an openssl client library upgrade (or recompile) for certain OSX users.

dstufft commented 11 years ago

SSL v2 is known to be insecure, pretty sure PyPI itself disables it but for non PyPI indexes it might be useful for pip to do the same.

Shouldn't be related to the issue at hand though.

qwcode commented 11 years ago

opened #832 regarding @dstufft comment about restricting the ssl protocol version

tba-apps commented 11 years ago

@dstufft Here is my openssl version:

tba:~$ python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 0.9.7l 28 Sep 2006

Here is the output with -v:

tba:~$ pip install -Uv pip
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Cannot fetch index base URL https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>
Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Could not find any downloads that satisfy the requirement pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Downloading/unpacking pip
No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg
Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Storing complete log in /Users/tba/.pip/pip.log

Here is the complete log:

tba:~$ cat ~/.pip/pip.log
------------------------------------------------------------
/Library/Frameworks/Python.framework/Versions/2.7/bin/pip run on Fri Mar  8 10:55:12 2013
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Cannot fetch index base URL https://pypi.python.org/simple/

URLs to search for versions for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg:
* https://pypi.python.org/simple/pip/
Getting page https://pypi.python.org/simple/pip/
Could not fetch URL https://pypi.python.org/simple/pip/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:499: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/pip/ when looking for download links for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Could not find any downloads that satisfy the requirement pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Downloading/unpacking pip

No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for pip in /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg

tba:~$

qwcode commented 11 years ago

@tba-apps I don't know much about the OSX macport, homebrew stuff, but can you try an openssl upgrade?

ulyssesv commented 11 years ago

I was using ActivePython 2.7.2.5 and getting the same error. I switched to a fully brew distribution and now it's working. It doesn't solve the bug, but solved my problem...

brew update
brew install openssl
brew install python --with-brewed-openssl
brew linkapps

And set these vars:

PATH=$(brew --prefix)/share/python:$(brew --prefix)/share/python/bin:$(brew --prefix)/share/python/sbin:$PATH
PYTHONPATH=$(brew --prefix)/lib/python2.7/site-packages:$PYTHONPATH

Check your pip path with which pip, it must be the one in /usr/local/share/python.

Then:

pip install --upgrade distribute
pip install --upgrade pip

Now I'm able to use pip again.

dstufft commented 11 years ago

I wonder if this is an ActivePython issue then.

ulyssesv commented 11 years ago

Probably. Before this setup Python was linked against OpenSSL 0.9.7l 28 Sep 2006 and now it's OpenSSL 1.0.1c 10 May 2012.

I wasn't able to test against the native Mac OS Python though.

matino commented 11 years ago

Same problem here on Windows 7 with Python 2.7.3 while trying to install any package... I found this problem after upgrading to pip 1.3.1...

pnasrat commented 11 years ago

@matino please can you include a log or a link to a gist of a log produced with a run with -v.

matino commented 11 years ago

Hi, here it is (result of pip install -Uv django) https://gist.github.com/matino/5143458

pnasrat commented 11 years ago

So your error is

/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>

matino commented 11 years ago

I can see that the problem may be with the network. On my company network I get the error, but when I switch to 3g it works... 1.2.1 works as expected on both networks though...

qwcode commented 11 years ago

btw, our automated testing for windows includes py27 on 2008 server. http://jenkins.qwcode.com/job/pip_win_27/

treyd commented 11 years ago

I get this same error when I try to use the pip generated when I set up a virtualenv, but natively, pip works fine. My OpenSSL version is also OpenSSL 0.9.7l 28 Sep 2006.

qwcode commented 11 years ago

@tduskin, is your global pip actually an older version that doesn't use SSL? run pip --version

treyd commented 11 years ago

I'm using pip 1.3.1.

pip 1.3.1 from /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages (python 2.7)

tba-apps commented 11 years ago

Switching to brew Python as mentioned by @ulyssesv fixed the issue for me.

treyd commented 11 years ago

Upgrading to Python 2.7.3 (available from http://www.python.org/download/releases/2.7.3/) solved this issue for me. I am now able to use pip in my virtualenv.

douglatornell commented 11 years ago

I'm seeing this same issue on OS/X 10.8.2 with Python 2.6.6.

The Python build is the OS/X framework one from python.org /Library/Frameworks/Python.framework/Versions/2.6/bin/python2.6

The OpenSSL version is OpenSSL 0.9.8r 8 Feb 2011

In my case this is happening in a tox run that tests the package under 2.6, 2.7, 3.2, and 3.3. The failure only happens under 2.6, and only started happening yesterday after I upgraded virtualenv and pip in the environment to:

$ virtualenv --version
1.9.1

and

$ pip --version
pip 1.3.1 from /Users/doug/.virtualenvs/blogofile-dev-3.2/lib/python3.2/site-packages (python 3.2)

pip log from the failure:

------------------------------------------------------------
../bin/pip run on Fri Mar 15 21:03:40 2013
Unpacking /Users/doug/.tox/distshare/Blogofile-0.8b1.zip

  Running setup.py egg_info for package from file:///Users/doug/.tox/distshare/Blogofile-0.8b1.zip

    running egg_info
    creating pip-egg-info/Blogofile.egg-info
    writing requirements to pip-egg-info/Blogofile.egg-info/requires.txt
    writing pip-egg-info/Blogofile.egg-info/PKG-INFO
    writing top-level names to pip-egg-info/Blogofile.egg-info/top_level.txt
    writing dependency_links to pip-egg-info/Blogofile.egg-info/dependency_links.txt
    writing entry points to pip-egg-info/Blogofile.egg-info/entry_points.txt
    writing manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
    warning: manifest_maker: standard file '-c' not found
    reading manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    writing manifest file 'pip-egg-info/Blogofile.egg-info/SOURCES.txt'
  Source in /var/folders/4x/5r9809nn4dg6jql9768bm6dc0000gn/T/pip-dLVbFI-build has version 0.8b1, which satisfies requirement Blogofile==0.8b1 from file:///Users/doug/.tox/distshare/Blogofile-0.8b1.zip
Downloading/unpacking discover

  Getting page https://pypi.python.org/simple/discover/
  Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/discover/ when looking for download links for discover

  Getting page https://pypi.python.org/simple/
  Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/ when looking for download links for discover

  Cannot fetch index base URL https://pypi.python.org/simple/

  URLs to search for versions for discover:
  * https://pypi.python.org/simple/discover/
  Getting page https://pypi.python.org/simple/discover/
  Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

  Will skip URL https://pypi.python.org/simple/discover/ when looking for download links for discover

  Could not find any downloads that satisfy the requirement discover

No distributions at all found for discover

Exception information:
Traceback (most recent call last):
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/req.py", line 1026, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/Users/doug/Documents/devel/python/blogofile_blog-dev/.tox/py26/lib/python2.6/site-packages/pip-1.3.1-py2.6.egg/pip/index.py", line 171, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
DistributionNotFound: No distributions at all found for discover

rasky commented 11 years ago

The error is:

Could not fetch URL https://pypi.python.org/simple/discover/: There was a problem confirming the ssl certificate: 
<urlopen error [Errno 1] _ssl.c:490: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown 
message digest algorithm>

But PyPI certificate (which is *.python.org) uses SHA1 as message digest. It's weird that anything would not support it, even if a few years old.

I tried reproducing it with this setup:

OSX 10.8.2
OpenSSL 0.9.8r 8 Feb 2011 (default from Apple)
Python 2.6.7 (default from Apple)
Virtualenv 1.9.1
pip 1.3.1

And I cannot reproduce it. If I created a virtualenv with Python 2.6 (using virtualenv -p python2.6), and then run pip to install any package, it is able to correctly connect to PyPI and download it without any SSL warning.

It looks like the only difference is that you're using Python 2.6 from python.org. Can you please try whether using the system Python 2.6 fixes it?

djsutherland commented 11 years ago

For what it's worth, I'm seeing the same error on

OSX 10.8.3
default Apple OpenSSL
Virtualenv 1.9.1
pip 1.3.1

when I use the Python 2.7.3 that comes in EPD 7.3-2 in a virtualenv. I don't see the error using that same python outside of a virtualenv or using the system python 2.7.2.

olivierverdier commented 11 years ago

Same problem here, without virtualenv.

My setting is a vanilla install from EPD. The steps to reproduce the error, on Mac OS X 10.8.2 are

Install EPD 7.3
easy_install pip
pip install --upgrade ipython

You will get the same error as everyone else:

/Library/Frameworks/Python.framework/Versions/7.3/bin/pip run on Wed Mar 20 10:58:59 2013
Getting page https://pypi.python.org/simple/ipython/
Could not fetch URL https://pypi.python.org/simple/ipython/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ipython/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Getting page https://pypi.python.org/simple/
Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Cannot fetch index base URL https://pypi.python.org/simple/

URLs to search for versions for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages:
* https://pypi.python.org/simple/ipython/
Getting page https://pypi.python.org/simple/ipython/
Could not fetch URL https://pypi.python.org/simple/ipython/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm>

Will skip URL https://pypi.python.org/simple/ipython/ when looking for download links for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Could not find any downloads that satisfy the requirement ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Downloading/unpacking ipython

No distributions at all found for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

Exception information:
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/basecommand.py", line 139, in main
    status = self.run(options, args)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/commands/install.py", line 266, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg/pip/req.py", line 1025, in prepare_files
    raise not_found
DistributionNotFound: No distributions at all found for ipython in /Library/Frameworks/Python.framework/Versions/7.3/lib/python2.7/site-packages

olivierverdier commented 11 years ago

For what it's worth, my problem was asked, and fixed, on SO: http://stackoverflow.com/questions/15441224/can-i-relink-enthought-python-to-new-version-of-openssl-on-mac-os-x

The solution is simply to downgrade pip with

easy_install pip==1.2.1

douglatornell commented 11 years ago

@rasky I tried with a virtualenv based on the OS/X 10.8.2 system Python 2.6.7 as you requested, and I get the same result that you do - pip 1.3.1 installs packages without difficulty.

So, it would seem that the problem lies in the linkage of the installed OpenSSL library to the python.org Python 2.6.6 framework.

davethecipo commented 11 years ago

I have the same problem (no virtualenv) on archlinux ARM (running on the raspberry py). pip version: 1.3.1

jasonkeene commented 11 years ago

I have the same issue on python 2.6.6 OSX 10.6.8. Upgraded pip/distribute. Going to try reinstalling 2.6 and see if it fixes.

hivelocity commented 11 years ago

Downgrading to an older version of pip was the only thing I found that solved this. Did pypi change their certs or something?

qwcode commented 11 years ago

@hivelocity ssl cert support is new in pip-1.3.1. many osx users have fixed this by getting to a python distribution that's linked against a newer openssl lib.

mbarczak commented 11 years ago

Same problem on pip 1.3.1(python 2.7.3) in Tomato enable router . Solved by downgrading pip to 1.2.1.

dubois commented 11 years ago

FWIW, I am seeing this on a windows machine. Python 2.6.2, virtualenv 1.9.1 (which installs pip 1.3.1)

qwcode commented 11 years ago

@dubois , can you report the text of your ssl error, also python -c "import ssl; print ssl.OPENSSL_VERSION" , thanks.

dubois commented 11 years ago

Could not fetch URL https://pypi.python.org/simple/South/: There was a problem confirming the ssl certificate:
<urlopen error [Errno 1] _ssl.c:480: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm>

I forgot to mention earlier that the failing computer uses ActivePython 2.6.2.2, not a stock python.org build. OPENSSL_VERSION is a 2.7 feature, but "strings _ssl.pyd" shows "OpenSSL 0.9.8k 25 Mar 2009".

Additionally, I can confirm that (in Win32) upgrading to ActivePython 2.6.7.20 fixes the problem. Its_ssl.pyd uses OpenSSL 0.9.8r 8 Feb 2011. I believe ActiveState is a little more aggressive about updating OpenSSL in their builds, so YMMV if using a python.org build.

qwcode commented 11 years ago

thanks @dubois. just updated the description to more relevant to OSX and windows users.

jefreybulla commented 11 years ago

@olivierverdier I tried different solutions proposed in this page, but yours was the one that work for me. I had to downgrade Pip:

easy_install pip==1.2.1

tash88 commented 11 years ago

Hi, I would like to download nltk package for python and always get an error message saying that there is a problem confirming the ssl certificate. I'd really appreciate it if you could recommend me a solution to my problem :) here is the log:

Last login: Sun Apr 21 12:52:49 on ttys000 macbook-macbook-demo-2:~ MacBookDemo$ python -V Python 2.7.4 macbook-macbook-demo-2:~ MacBookDemo$ sudo sh /Users/MacBookDemo/Downloads/setuptools-0.6c11-py2.7.egg Password: NProcessing setuptools-0.6c11-py2.7.egg Removing /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg Copying setuptools-0.6c11-py2.7.egg to /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages setuptools 0.6c11 is already the active version in easy-install.pth Installing easy_install script to /Library/Frameworks/Python.framework/Versions/2.7/bin Installing easy_install-2.7 script to /Library/Frameworks/Python.framework/Versions/2.7/bin

Installed /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg Processing dependencies for setuptools==0.6c11 Finished processing dependencies for setuptools==0.6c11 macbook-macbook-demo-2:~ MacBookDemo$ macbook-macbook-demo-2:~ MacBookDemo$ sudo easy_install pip Searching for pip Best match: pip 1.3.1 Processing pip-1.3.1-py2.7.egg pip 1.3.1 is already the active version in easy-install.pth Installing pip script to /Library/Frameworks/Python.framework/Versions/2.7/bin Installing pip-2.7 script to /Library/Frameworks/Python.framework/Versions/2.7/bin

Using /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg Processing dependencies for pip Finished processing dependencies for pip macbook-macbook-demo-2:~ MacBookDemo$ sudo pip install -U numpy Downloading/unpacking numpy Could not fetch URL https://pypi.python.org/simple/numpy/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/numpy/ when looking for download links for numpy Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/ when looking for download links for numpy Cannot fetch index base URL https://pypi.python.org/simple/ Could not fetch URL https://pypi.python.org/simple/numpy/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/numpy/ when looking for download links for numpy Could not find any downloads that satisfy the requirement numpy No distributions at all found for numpy Storing complete log in /Users/MacBookDemo/.pip/pip.log macbook-macbook-demo-2:~ MacBookDemo$ sudo pip install -U pyyaml nltk Downloading/unpacking pyyaml Could not fetch URL https://pypi.python.org/simple/pyyaml/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/pyyaml/ when looking for download links for pyyaml Could not fetch URL https://pypi.python.org/simple/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/ when looking for download links for pyyaml Cannot fetch index base URL https://pypi.python.org/simple/ Could not fetch URL https://pypi.python.org/simple/pyyaml/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm> Will skip URL https://pypi.python.org/simple/pyyaml/ when looking for download links for pyyaml Could not find any downloads that satisfy the requirement pyyaml No distributions at all found for pyyaml Storing complete log in /Users/MacBookDemo/.pip/pip.log macbook-macbook-demo-2:~ MacBookDemo$

JacquesBBB commented 11 years ago

I had the same problem with pip on a Beagle Bone Black with

root@beaglebone:~# cat /proc/version Linux version 3.8.13 (koen@rrMBP) (gcc version 4.7.3 20130205 (prerelease) (Linaro GCC 4.7-2013.02-01) ) #1 SMP Mon May 13 08:43:47 CEST 2013

root@beaglebone:~# pip --version pip 1.3.1 from /usr/lib/python2.7/site-packages/pip-1.3.1-py2.7.egg (python 2.7)

pip install pyFirmata Downloading/unpacking pyFirmata Could not fetch URL https://pypi.python.org/simple/pyFirmata/: There was a problem confirming the ssl certificate: <urlopen error [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_C

The problem was solved by downgrading to root@beaglebone:~# pip --version pip 1.2.1 from /usr/lib/python2.7/site-packages/pip-1.2.1-py2.7.egg (python 2.7)

Hope it will be solved in new versions.

Thanks for the help.

Jacques

qwcode commented 11 years ago

@JacquesBBB at this time, there are no plans to make in changes in pip for this. from the description: "there are currently no plans to offer a fix for this other than to recommend people to use a python that is linked to a more recent version of openssl."

yassersouri commented 11 years ago

@qwcode I just downgraded my pip from 1.3.1 to 1.2.1 to fix this issue.

I think it should check my version of openssl linked to python when I install pip.

dannystaple commented 11 years ago

This applies also to FC 17 too - on Linux. I have downgraded to 1.2.1. Perhaps 1.3.1 should no longer be recommended until this is fixed - it afflicts more than one of the boxes I work with.

dstufft commented 11 years ago

Downgrading to pip 1.2 means you're downloading packages with zero authentication and then executing the code inside of them. I hope for your sake your computer is never on a malicious network because it's absolutely trivial for an attacker to pwn your box if you're using 1.2.

If this is affecting boxes you're working with it is imperative that you install using pip 1.3+. Doing otherwise is highly insecure.

dannystaple commented 11 years ago

Which linux distro's and mac sidekick distro's actually have a compliant Python 2.7.x binary in them? I can understand the need for security - but right now it is effectively broken for people who aren't downloading the build tools and recompiling their own python. It may seem lazy not to want to do so - but I've not needed to merely to use pip packaging before.

dstufft commented 11 years ago

It works fine with Homebew Python on OSX and Ubuntu 12.04 LTS. I don't have other distributions handy to take a look to build some compatibility matrix. I don't mean to be dismissive but if the distribution you're using provides a openssl that doesn't work with SSL certs w/ sha1 they are shipping an insecure openssl afaik. Using MD5 digests for SSL certificates are vulnerable to collision attacks.

pypa / pip

SSL digest errors (on OSX and windows) #829