Jump to content

Python programs not functioning because of SSL/TSL protocol filtering (SSL: CERTIFICATE_VERIFY_FAILED)

Recommended Posts

A SSL: CERTIFICATE_VERIFY_FAILED error is thrown to Python programs (like pip) when trying to access Internet.

The python -m pip install --upgrade pip, that allows to update pip, or any pip install <package> command throws the same error.

Python-dependent programs like streamlink have the same behaviour and need --http-no-ssl-verify or similar flag to function properly.

Adding pypi.org and files.pythonhosted.org to trusted hosts as a workaround doesn't work. What's needed is to either disable SSL/TSL protocol filtering or add python.exe and pip.exe to the List of SSL/TLS filtered application with "Ignore" as Scan action.

The reason I open this topic is that maybe, there will be a way to conciliate both and make these programs work without an input from the user. But I don't know if the change needs to be done from ESET's side or Python's side. In any situation, I hope this topic will be at least informative and helpful for users who face the same issue.


Full error from pip.exe

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)'))': /packages/1a/70/1935c770cb3be6e3a8b78ced23d7e0f3b187f5cbfab4749523ed65d7c9b1/requests-2.23.0-py2.py3-none-any.whl


Share this post

Link to post
Share on other sites
Posted (edited)

Most likely related to this. Outside of the browser, Eset uses the Win root CA store for certificate validation. If whatever you are doing Python-wise uses a custom root CA store, something similar to the following needs to be implemented:


Additional to this issue:

Python requests library on windows use CA bundle instead of Windows Cert Store

Since UST package everything in PEX file. CA Bundle located here

[User Sync Tool Path]\.pex\install\requests-2.13.0-py2.py3-none-any.whl.59dc5c6338fb72ca09dcf97dda36a7aaa5d6bd0e\requests-2.13.0-py2.py3-none-any.whl\requests\cacert.pem

If you have SSL inbound inspection or forward proxy enabled on the firewall. I think you would need to point Python requests CABundle to Firewall CA cert

if your firewall CA cert is in DER format. you will need to use this command to convert to pem.

openssl x509 -inform DER -in firewallcert.crt -out firewallcert.pem -outform PEM

Create environment variable name: REQUESTS_CA_BUNDLE
with the path to firewallcert PEM file.


Edited by itman

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...