Recommended install method fails with SSL: CERTIFICATE_VERIFY_FAILED

[gonvaled]

• I am on the latest Poetry version.

• I have searched the issues of this repo and believe that this is not a duplicate.

• If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).

• OS version and name: Linux Mint 19 Tara

• Poetry version: not possible to install

• Link of a Gist with the contents of your pyproject.toml file: no pyproject.toml

Issue

curl -sSL https://raw.githubusercontent.com/sdispater/poetry/master/get-poetry.py | python
Retrieving Poetry metadata
Traceback (most recent call last):
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 859, in <module>
  File "<stdin>", line 855, in main
  File "<stdin>", line 318, in run
  File "<stdin>", line 351, in get_version
  File "<stdin>", line 819, in _get
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 544, in _open
    '_open', req)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1361, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/home/damane/.pyenv/versions/3.6.5/lib/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:833)>

[sdispater]

This is not an Poetry's end. You most likely have an issue with your certificates.

Basically, the installer only make requests to https://pypi.org and https://github.com so the likelihood of their certificates being invalid is minimal.

Now since it crashes at Retrieving Poetry metadata, the error happens when contacting https://pypi.org.

At this point I am not sure what the solution is. Check your certificates and see if it fixes this.

[cjw296]

Sounds a lot like #449.
@gonvaled - what OS are you on?

[gonvaled]

@cjw296

Sounds a lot like #449.
@gonvaled - what OS are you on?

As mentioned in the report, Linux Mint 19 Tara (based on Ubuntu Bionic 18.04)

[gonvaled]

@sdispater

This is not an Poetry's end. You most likely have an issue with your certificates.

Basically, the installer only make requests to https://pypi.org and https://github.com so the likelihood of their certificates being invalid is minimal.

Now since it crashes at Retrieving Poetry metadata, the error happens when contacting https://pypi.org.

At this point I am not sure what the solution is. Check your certificates and see if it fixes this.

You could be right, but what makes me suspicious of the installer is the following:

• I have no problems whatsoever with certificates when using other tools
• I am able to install poetry with pipx install poetry
• I am able to install poetry with pip install --user poetry

[gonvaled]

@sdispater Just out of curiosity:

1. Why do you recommend installing poetry with its custom installer?
2. Why is a pip install --user poetry not enough, as it is for other tools?

One of the reasons seems to be to allow poetry to update itself via poetry self:update, but I do not see why a pip install --upgrade poetry would not be good enough.

Maybe a line about this in the readme would clarify things.

[sdispater]

@gonvaled There are a few reasons:

• The installer installs Poetry in such a way that it is completely isolated from the rest of the system (vendored dependencies). That way its dependencies are fixed and there is no risk of dependencies being removed or updated by the installation of another tool.
• If you install it via pip, Poetry will only be aware of the Python executable it has been installed for and as such will not be able to pick up the proper python version set by a tool liek pyenv.

[sdispater]

@gonvaled And the installer does not do anything in particular and only uses the standard library. Note that pip bundles certifi (https://github.com/pypa/pip/tree/master/src/pip/_vendor/certifi) which explains the absence of certificate errors.

So, there was an issue when compiling your Python version with pyenv which most likely linked against the wrong libssl version. However, I could not reproduce on a fresh install of Ubuntu 18.04.

[cjw296]

@sdispater - I'm afraid this is why I dislike pyenv's choice to try and compile python from source everywhere, that can be hard to get right, and someone else has normally already done it so you don't have to...

[joshfriend]

@cjw296 it's not really a choice, official CPython does not distribute binaries for anything but macOS (and windows also I guess but pyenv doesn't really support windows). Package managers on the platforms also don't let you ask for a very specific version like "3.7.0", you just get whatever latest version they have.

PyPy and Anaconda do ship binaries, and pyenv does use those.

[cjw296]

Why do you need very specific versions? Most OS vendors are good at backporting patches and bad at updating the version number ;-)

How do I teach pyenv about what conda python versions I have installed?

[brycedrennan]

Closing old issue that likely isn't related to poetry.

[hoshsadiq]

I'm having the same issue when trying to run the poetry installer. I'm not sure what else it would or even could be.

I've exported REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt, pip install works, pipenv works, other python applications that rely on ca certs work except for this installer. Any chance this can be reopened and looked further?

[giokara]

I was able to bypass the certification by generating a new SSL context and passing it in every urlopen call of the script. IMHO it means that some URLs in the script have invalid certificates and should be fixed.

[unmade]

On macOS I had to create a symlink from OS certificates to python:

ln -s /etc/ssl/* /Library/Frameworks/Python.framework/Versions/3.9/etc/openssl

[cfuzimeli]

ln -s /etc/ssl/* /Library/Frameworks/Python.framework/Versions/3.9/etc/openssl

Worked for me! Thanks @unmade !

[callebtc]

I installed python via homebrew (macbook M1) and had to

ln -fs /etc/ssl/* /opt/homebrew/etc/openssl@1.1

You might have to change the openssl@1.1 part according to what you have in that directory.

[danibachini]

what worked for me on MacOS:

• go to Applications > Python folder > double click on "Install Certificates.command" file

[Roald87]

Error

> (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | python -
Retrieving Poetry metadata
Traceback (most recent call last):
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 1346, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 1253, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 1299, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 1248, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 1008, in _send_output
    self.send(msg)
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 948, in send
    self.connect()
  File "C:\Users\roald\miniconda3\lib\http\client.py", line 1422, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Users\roald\miniconda3\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Users\roald\miniconda3\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\Users\roald\miniconda3\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 940, in <module>
  File "<stdin>", line 919, in main
  File "<stdin>", line 516, in run
  File "<stdin>", line 775, in get_version
  File "<stdin>", line 836, in _get
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 214, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 517, in open
    response = self._open(req, data)
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 534, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 494, in _call_chain
    result = func(*args)
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 1389, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Users\roald\miniconda3\lib\urllib\request.py", line 1349, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)>

Solution windows

What worked for me on Windows 10 was:

1. Download the install script manually and save it somewhere, for example as install_poetry.py.
2. Add import certifi between the imports
3. Add these two lines (source):

   if __name__ == "__main__":
   +    os.environ["REQUESTS_CA_BUNDLE"] = certifi.where()
   +    os.environ["SSL_CERT_FILE"] = certifi.where()
       sys.exit(main())

4. Install poetry

• > python .\install_poetry.py

[neersighted]

I'm going to lock this issue as it has gotten quite noisy and everything explored in the last several years is local configuration issues and not Poetry specific. The installer originally discussed is long deprecated and the replacement is a separate project.

If you have issues with TLS during install, Poetry is not in the loop. Feel free to join Discord and Discussions for assistance, but as the issue is not Poetry-specific generic resources are likely more helpful.

If anyone wants to work on a FAQ for the truly common TLS issues during install, feel free to open an issue to track that ask or send a PR.