ESET Insiders Jahus 1 Posted March 21, 2020 ESET Insiders Share Posted March 21, 2020 A SSL: CERTIFICATE_VERIFY_FAILED error is thrown to Python programs (like pip) when trying to access Internet. The python -m pip install --upgrade pip, that allows to update pip, or any pip install <package> command throws the same error. Python-dependent programs like streamlink have the same behaviour and need --http-no-ssl-verify or similar flag to function properly. Adding pypi.org and files.pythonhosted.org to trusted hosts as a workaround doesn't work. What's needed is to either disable SSL/TSL protocol filtering or add python.exe and pip.exe to the List of SSL/TLS filtered application with "Ignore" as Scan action. The reason I open this topic is that maybe, there will be a way to conciliate both and make these programs work without an input from the user. But I don't know if the change needs to be done from ESET's side or Python's side. In any situation, I hope this topic will be at least informative and helpful for users who face the same issue. ---------------- Full error from pip.exe WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)'))': /packages/1a/70/1935c770cb3be6e3a8b78ced23d7e0f3b187f5cbfab4749523ed65d7c9b1/requests-2.23.0-py2.py3-none-any.whl Link to comment Share on other sites More sharing options...
itman 1,748 Posted March 21, 2020 Share Posted March 21, 2020 (edited) Most likely related to this. Outside of the browser, Eset uses the Win root CA store for certificate validation. If whatever you are doing Python-wise uses a custom root CA store, something similar to the following needs to be implemented: Quote Additional to this issue: Python requests library on windows use CA bundle instead of Windows Cert Store Since UST package everything in PEX file. CA Bundle located here [User Sync Tool Path]\.pex\install\requests-2.13.0-py2.py3-none-any.whl.59dc5c6338fb72ca09dcf97dda36a7aaa5d6bd0e\requests-2.13.0-py2.py3-none-any.whl\requests\cacert.pem If you have SSL inbound inspection or forward proxy enabled on the firewall. I think you would need to point Python requests CABundle to Firewall CA cert if your firewall CA cert is in DER format. you will need to use this command to convert to pem. openssl x509 -inform DER -in firewallcert.crt -out firewallcert.pem -outform PEM Create environment variable name: REQUESTS_CA_BUNDLE with the path to firewallcert PEM file. https://github.com/adobe-apiplatform/user-sync.py/issues/204 Edited March 21, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts