← Back to DevBytes

Fix 'pip install fails' with SSL Certificate Error

What is the SSL Certificate Error in pip?

When you run pip install and encounter an SSL certificate error, pip is telling you that it cannot verify the identity of the Python Package Index (PyPI) server or the package repository you are trying to connect to. This verification is performed using SSL/TLS certificates, which are part of the secure HTTPS protocol that pip uses by default to download packages.

The error occurs because the certificate chain presented by the server cannot be validated against the Certificate Authority (CA) bundle that pip (and the underlying urllib3 or requests library) uses to establish trust. Without a valid certificate chain, pip refuses to proceed with the download to protect you from potential man-in-the-middle attacks.

Typical Error Messages You'll See

Depending on your Python version, operating system, and the exact nature of the failure, you may encounter one of these variations:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)
pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Could not fetch URL https://pypi.org/simple/pip/: 
There was a problem confirming the ssl certificate: 
HTTPSConnectionPool(host='pypi.org', port=443): 
Max retries exceeded with url: /simple/pip/ 
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)')))

Root Causes of SSL Certificate Failures

Why Fixing This Matters

🚀 Deploy your AI agent in 10 minutes

Managed Hermes hosting. Zero DevOps. 100M tokens/mo included.

Try it free →

SSL certificate verification is not just an annoying roadblock — it is a critical security feature. When pip verifies certificates, it ensures that:

Simply disabling SSL verification globally (e.g., with --trusted-host or environment variables) exposes you to significant risk. The goal is to fix the root cause so that verification works correctly while maintaining security. Every professional Python developer should understand how to resolve these errors properly rather than resorting to insecure workarounds.

How to Fix pip SSL Certificate Errors

Below are comprehensive solutions, ordered from most recommended to least secure. Apply the solution that matches your specific root cause.

Solution 1: Upgrade pip, setuptools, and certifi

The simplest fix in many cases is upgrading pip itself and its certificate dependencies. An outdated pip may carry an expired CA bundle inside its vendored certifi library.

# First, try upgrading pip using the built-in bootstrap mechanism
python -m pip install --upgrade pip --no-build-isolation

# Then upgrade setuptools and wheel
python -m pip install --upgrade setuptools wheel

# Finally, upgrade certifi (the certificate bundle package)
python -m pip install --upgrade certifi

If pip itself refuses to connect due to SSL, you can use the get-pip.py bootstrap script with a temporary insecure flag:

# Download get-pip.py using curl (bypassing Python's SSL check temporarily)
curl -O https://bootstrap.pypa.io/get-pip.py

# Install pip using the downloaded script, which will then have the latest CA bundle
python get-pip.py

# Now upgrade normally
python -m pip install --upgrade pip certifi

Solution 2: Install Missing CA Certificates (Linux / macOS)

On minimal Linux installations (Debian/Ubuntu minimal, Alpine, Docker slim images) or older macOS systems, the operating system CA certificate store may be missing or not linked to Python.

Debian / Ubuntu:

# Install the ca-certificates package
sudo apt-get update
sudo apt-get install -y ca-certificates

# Verify the CA bundle exists
ls -la /etc/ssl/certs/ca-certificates.crt

CentOS / RHEL / Fedora:

# Install the CA certificate bundle
sudo yum install -y ca-certificates
# or on newer Fedora:
sudo dnf install -y ca-certificates

# Update the certificate trust store
sudo update-ca-trust

Alpine Linux (Docker containers):

# Alpine uses apk and a slightly different package
apk add --no-cache ca-certificates

# If Python still can't find them, symlink the bundle
ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/cert.pem

macOS:

# For Python installed via the official installer from python.org,
# run the "Install Certificates" script bundled in the Python application folder
/Applications/Python\ 3.x/Install\ Certificates.command
# Replace "3.x" with your Python version, e.g., 3.11

# For Homebrew-installed Python, ensure OpenSSL is linked:
brew install openssl
brew reinstall python@3.11

Solution 3: Configure pip with the Correct Certificate Bundle Path

If the CA certificates are installed but Python or pip cannot locate them, you can explicitly point pip to the certificate bundle using its configuration file.

# Locate the CA bundle on your system (common locations)
# Linux:
#   /etc/ssl/certs/ca-certificates.crt
#   /etc/pki/tls/certs/ca-bundle.crt
# macOS:
#   /etc/ssl/cert.pem (after running Install Certificates.command)

# Set the certificate path in pip's configuration
pip config set global.cert /etc/ssl/certs/ca-certificates.crt

# Or manually edit/create pip.conf (Linux: ~/.config/pip/pip.conf, macOS: ~/Library/Application Support/pip/pip.conf)
# Add the following:
[global]
cert = /etc/ssl/certs/ca-certificates.crt

You can also pass the certificate path directly on the command line for a one-off fix:

pip install --cert /etc/ssl/certs/ca-certificates.crt package-name

Solution 4: Use pip's Trusted Host Option (Temporary / Controlled Environments)

This approach tells pip to skip SSL certificate verification for specific hosts. It should only be used temporarily or in fully trusted, isolated environments (such as air-gapped internal networks).

# Install a package skipping SSL verification for pypi.org
pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org package-name

# Or set it permanently in pip.conf (use with extreme caution)
[global]
trusted-host = pypi.org
               pypi.python.org
               files.pythonhosted.org

Warning: This completely disables SSL verification for those hosts. Anyone able to intercept your network traffic could serve you malicious packages. Only use this in sandboxed environments.

Solution 5: Set SSL Environment Variables for Python

Python's SSL module respects several environment variables that can help you control certificate behavior:

# Point Python to the correct CA bundle
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

# On macOS with the certifi package, you can use:
export SSL_CERT_FILE=$(python -m certifi)

# To make these permanent, add them to your shell profile (~/.bashrc, ~/.zshrc):
echo 'export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt' >> ~/.bashrc
echo 'export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> ~/.bashrc
source ~/.bashrc

You can verify Python's SSL configuration with a quick script:

# Check which CA bundle Python is using
python -c "import certifi; print(certifi.where())"

# Test an HTTPS connection
python -c "import urllib.request; print(urllib.request.urlopen('https://pypi.org').read()[:100])"

Solution 6: Add a Corporate / Self-Signed Certificate to the Trust Store

In enterprise environments, your organization may operate a TLS inspection proxy that issues its own certificate. You need to add that corporate CA certificate to the trust store that Python uses.

# Step 1: Obtain the corporate CA certificate (usually a .pem or .crt file)
# Your IT department typically provides this — save it as corporate-ca.pem

# Step 2: Append it to the existing CA bundle
# Option A: Append to system bundle
sudo cat corporate-ca.pem >> /etc/ssl/certs/ca-certificates.crt

# Option B: Create a combined bundle and point pip at it
cat /etc/ssl/certs/ca-certificates.crt corporate-ca.pem > ~/combined-ca-bundle.pem
pip config set global.cert ~/combined-ca-bundle.pem

# Step 3: Verify it works
python -c "import urllib.request; print(urllib.request.urlopen('https://pypi.org').read()[:50])"

For Python environments using the certifi package, you can append to certifi's bundle:

# Find certifi's bundle location
CERTIFI_BUNDLE=$(python -c "import certifi; print(certifi.where())")

# Append your corporate CA
sudo cat corporate-ca.pem >> "$CERTIFI_BUNDLE"

# Set the environment variable so all tools pick it up
export SSL_CERT_FILE="$CERTIFI_BUNDLE"

Best Practices to Prevent SSL Certificate Issues

Conclusion

SSL certificate errors when running pip install are a common but entirely solvable problem. The root cause almost always boils down to Python being unable to locate or trust the Certificate Authority bundle it needs to verify PyPI's identity. By systematically working through the solutions above — starting with simple upgrades, moving through system certificate installation, and only resorting to less secure options in controlled environments — you can restore secure package installation without compromising your development workflow. Remember that each solution targets a specific root cause: outdated pip, missing system certificates, corporate proxies, or misconfigured paths. Diagnose first, then apply the fix that matches your situation. Keeping your Python toolchain updated and your system's certificate store healthy will prevent most of these errors from occurring in the first place.

🚀 Need a reliable AI agent for your project?

Deploy Hermes Agent in 10 minutes. Managed hosting, zero DevOps.

Get Started — $23.99/mo
← Back to all articles