We Keep Coding

Brew Python3.7 install on Mac High OSierra 10.13.6. Help understand openssl install instructions

I am having problems installing python and keep getting openssl errors. So I have reinstalled numerous times and still struggling. I think I am not following the below instructions properly and hope someone can explain what I should do. I have read everything on openssl errors online over the last 3 weeks and am practically at the end of my wits. I will very likely give up learning to program if I can't figure this out.
I am able to install packages using pip3. But get errors if I need to access web pages. Examples of errors I get:
pip3 installed geopy but running below raises a huge error the final part of which I have included below:
import geopy
geocoder=geopy.geocoders.GoogleV3(domain="maps.google.co.uk")
geocoder.geocode('Cambridge', exactly_one=False)
'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)'
I can install pandas and pandas_datareader but running below raises error the final part of which follows the code:
import datetime as dt
import matplotlib.pyplot as plt
from matplotlib import style
import pandas as pd
import pandas_datareader.data as web
style.use('ggplot')
start = dt.datetime(2000,1,1)
end = dt.datetime(2016,12,31)
df = web.DataReader('TSLA', 'yahoo', start, end)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 511, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='finance.yahoo.com', port=443): Max retries exceeded with url: /quote/TSLA/history?period1=946699200&period2=1483243199&interval=1d&frequency=1d&filter=history (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1045)')))
So I need to know exactly what steps to take after installing python 3.7 via brew as stated below.
Do I need to add additional certificates and as a result place a .pem file in certs directory? When and why is such an action necessary?
Do I only need to run c_rehash if the answer to question 1 is true?
Do I need to have openssl first in my path?
Do I need compilers to find openssl? Under what circumstances should I set the LDFLAGS and CPPFLAGS as stated?
Do I need pkg-config to find openssl?
Basically, I am a beginner python user and not sure how many of these things are necessary for me if I just want to install packages using pip3 and be able to securely access data and websites online.
$ brew install openssl
Updating Homebrew...
==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2p.high_sierra.
Already downloaded: /Users/user/Library/Caches/Homebrew/downloads/f3b0a441f330cc1e6072080557f91b61256c8b0734e8348563d0efcb2af248ce--openssl-1.0.2p.high_sierra.bottle.tar.gz
==> Pouring openssl-1.0.2p.high_sierra.bottle.tar.gz
==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
openssl is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.
If you need to have openssl first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
For compilers to find openssl you may need to set:
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
For pkg-config to find openssl you may need to set:
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"
==> Summary
🍺 /usr/local/Cellar/openssl/1.0.2p: 1,793 files, 12.3MB

Package upload to pypi.org broken

I have been trying to workaround the latest changes to pypi for hours, and I can't find a way to do it. My usual method of running python setup.py register; python setup.py bdist_wheel sdist upload currently fails with an SSL error:
(py27_test) [mpenning#mudslide ciscoconfparse]$ python setup.py register; python setup.py bdist_wheel sdist upload
...
Submitting /home/mpenning/ciscoconfparse/dist/ciscoconfparse-1.3.2-py2.py3-none-any.whl to https://upload.pypi.org/legacy/
error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
FWIW twine also fails with SSL errors as well. I tried downloading the SSL PEM certificate for upload.pypi.org, but somehow twine upload --cert ~/.certs/uploadpypiio.pem dist/* also fails with an SSL error:
(py27_test) [mpenning#mudslide ciscoconfparse]$ twine upload --cert ~/.certs/uploadpypiio.pem dist/*
Uploading distributions to https://upload.pypi.org/legacy/
Uploading ciscoconfparse-1.3.2-py2.py3-none-any.whl
SSLError: HTTPSConnectionPool(host='upload.pypi.org', port=443): Max retries exceeded with url: /legacy/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
(py27_test) [mpenning#mudslide ciscoconfparse]$
This problem has happened to me before, but I was able to workaround the problem by manually uploading my source distro and wheel to pypi.org; however, even that method fails too (it worked as recently as Jan 29, 2018). When I try a manual package upload, they seem to have disabled it.
Now it seems like I'm completely stuck with no options to fix this breakage.
Question
Is there some way to manually upload packages to pypi that I've missed somehow? Alternately, if there is some twine magic I've missed, I'm open to hearing it. I'm running Python 2.7.9 on Debian 8.1 in a virtualenv.
I've got:
pip version 9.0.1
setuptools version 38.5.1
twine version 1.9.1

Usually ssl error cause by time error. So synchroinze the time will fix it in most case.

Certificate Verification Failure for youtube-dl

I am trying to get the audio from a YouTube video, using the command:
youtube-dl --extract-audio --audio-format mp3 [video link]
Each time I try to run this command in Terminal on macOS (High Sierra v10.13.2), it gives me this error:
ERROR: Unable to download webpage: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)> (caused by URLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)'),))
Note: I have youtube-dl installed, and also have Python 2.7 and Python 3.6 (if that helps)
If anyone can help me resolve that issue, that would be great.

I've had this issue for a while now and was never able to solve it. So I did the temporary fix of
[ Terminal ]
--no-check-certificate
Sadly, that just turns your HTTPS youtube-dl request into a plain text HTTP request.
After some digging I found that it was a Python v3.6 issue.
https://bugs.python.org/issue29065#msg283984
If you use VIM or any edit to check
vim '/Applications/Python 3.6/ReadMe.rtf'
If you look for ( Certificate verification and OpenSSL\ )
You'll see that ...
During installation of Python v3.6 They decide to use their own private version of OpenSSL, unfortunately that doesn't natively work with the default root certificates. It does however, come with a command script to install a curated bundle of default root certificates.
The bug recommended me to the python certifi module. The modules just seems to be good for finding where your certificate is.
[ Python v3.6 ]
import certifi
certifi.where()
'/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/certifi/cacert.pem'
That really just told where it was, but I did it using the python terminal interpreter just in case.
[ Terminal ]
open '/Applications/Python 3.6/Install Certificates.command'
Me personally this was my terminal response...
[ Terminal ]
-- pip install --upgrade certifi
Requirement already up-to-date: certifi in /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages
-- removing any existing file or link
-- creating symlink to certifi certificate bundle
-- setting permissions
Traceback (most recent call last):
File "", line 44, in
File "", line 40, in main
PermissionError: [Errno 1] Operation not permitted: 'cert.pem'
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.
[Process completed]
BUT IT WORKED AND I DON'T HAVE TO DEAL WITH THAT SSL VERIFICATION FAILED ANYMORE! (-.-)\ /(-.-)/

I will try to make a proper approach to the problem rather than just listing what works for me. The following does not require the Install Certificates.command script, which may or may not have been installed along with Python.
Source of the problem
It needs to be pointed out that the source of the error is not Python itself. Looking closely to the error message, you can see that Python just communicates the error produced by the OpenSSL library (called by _ssl.c). If the Python you are using has been installed using homebrew, chances are that more network utilities (e.g. wget) installed using homebrew have similar issues.
This means that in order to fix the problem, we need to make sure that the OpenSSL library used by Python has access to a valid, up-to-date certificates bundle.
Locating the right OpenSSL library
As many OpenSSL libraries may be installed on your system, you need to find the one used by your Python interpreter. The OpenSSL library is loaded by the ssl Python module, so we need to locate that first:
pyssld=$(python3 -c 'import ssl, pathlib; print(pathlib.Path(ssl.__file__).parent)')
echo "$pyssld"
This will print out the directory where we should look for the C library used by the ssl to load OpenSSL. This is done with the following command:
pyssl=$(find "$pyssld" -iname '*ssl*.so')
echo "$pyssl"
Finally, we can check where the OpenSSL library loaded by the Python ssl module is located:
pyopenssl=$(otool -L "$pyssl" | grep libssl | awk '{print $1}')
echo "$pyopenssl"
This shall print something like:
/opt/homebrew/opt/openssl#1.1/lib/libssl.1.1.dylib
This points where the OpenSSL library used by Python is located.
Fixing the problem
Acquiring a certificate bundle
To acquire an up to date certificate bundle to use with OpenSSL library, you can install the Python certifi package.
pip3 install --upgrade certifi
cabundle=$(python3 -c 'import certifi; print(certifi.where())')
echo $cabundle
Adding the new certificate bundle to OpenSSL
Finally, we need to place the certificate bundle where OpenSSL can find it. We know the location of the library. But the bundles are stored in a different directory. To jump to the right directory and link the bundle, use:
cd $(echo "$pyopenssl" | sed -E 's%/opt/(openssl[^/]*).*%/etc/\1%')
ln -sf "$cabundle" cert.pem
Cleanup
After checking that everything works, you can now clean up the environment variables we have used.
unset cabundle pyopenssl pyssl pyssld

Pip Install Twisted Error 1

When using pip install Twisted in virtualenv on Mac osx 10.9.4, I get this result:
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/9r/3b500gbs3093ms87mqqbckr80000gn/T/pip-build-doynftp7/twisted/
I am not sure how to resolve. I used easy_install, but I get a SSL verification issue. Anyone have similar issue? The rest of error message is below.
Collecting twisted
Using cached Twisted-16.6.0.tar.bz2
Complete output from command python setup.py egg_info:
Download error on https://pypi.python.org/simple/incremental/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749) -- Some packages may not be found!
Couldn't find index page for 'incremental' (maybe misspelled?)
Download error on https://pypi.python.org/simple/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749) -- Some packages may not be found!
No local packages or working download links found for incremental>=16.10.1
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/private/var/folders/9r/3b500gbs3093ms87mqqbckr80000gn/T/pip-build-lqvxc68n/twisted/setup.py", line 21, in <module>
setuptools.setup(**_setup["getSetupArgs"]())
File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/distutils/core.py", line 108, in setup
_setup_distribution = dist = klass(attrs)
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/setuptools/dist.py", line 317, in __init__
self.fetch_build_eggs(attrs['setup_requires'])
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/setuptools/dist.py", line 372, in fetch_build_eggs
replace_conflicting=True,
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/pkg_resources/__init__.py", line 851, in resolve
dist = best[req.key] = env.best_match(req, ws, installer)
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/pkg_resources/__init__.py", line 1123, in best_match
return self.obtain(req, installer)
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/pkg_resources/__init__.py", line 1135, in obtain
return installer(requirement)
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/setuptools/dist.py", line 440, in fetch_build_egg
return cmd.easy_install(req)
File "/Users/Complex-Cauchy/1/lib/python3.6/site-packages/setuptools/command/easy_install.py", line 668, in easy_install
raise DistutilsError(msg)
distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('incremental>=16.10.1')
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /private/var/folders/9r/3b500gbs3093ms87mqqbckr80000gn/T/pip-build-lqvxc68n/twisted/
Running openssl s_client -showcerts -connect pypi.python.org:443
returns the following:
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
-----BEGIN CERTIFICATE-----
MIIIWjCCB0KgAwIBAgIQCXCW7BLw16II/CMOsOFe/jANBgkqhkiG9w0BAQsFADB1
..
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
....
-----END CERTIFICATE-----
Server certificate
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: BC7695FF86D2B82B20468A13E3F3E13AE23776B500E64665305EEBAF49BB54D1
Session-ID-ctx:
Master-Key:8D25B34237A3C74E90317D87BA74A2AAF0E8C424FB2ADE3D72E5F234D5E043C4527641290B928B3A22 1BE7D44116CFB1
Key-Arg : None
Start Time: 1487035770
Timeout : 300 (sec)
Verify return code: 0 (ok)

I had the same issue on a Mac OSX 10.11.6 in a new virtualenv with a fresh install of Python3.6.1. In my case, I had old versions of the Twisted dependency incremental installed, which prevented the installation.
pip install --upgrade incremental
pip install Twisted
Note I: I was installing a whole array of packages from a requirements file where the same incremental version was specified. I really wonder why the upgrade of incremental helped and have no clue what actually went wrong. If someone can clarify, that would be great.
Note II: Installing incremental ahead of of Twisted seems to be necessary on fresh installs, too [Experienced when working with CentOS7].
Note III: The issue was communicated to the amazing Twisted community and once Twisted ticket #9457 is implemented and in the release this question and my answer should become obsolete.

The error you reported is incomplete. There are almost certainly more details above it in the pip output. It would help if edit them into your question.
A survey of similar questions:
Python pip install gives "Command "python setup.py egg_info" failed with error code 1"
Can't install via pip because of egg_info error
Python pip install fails: invalid command egg_info
https://github.com/donnemartin/gitsome/issues/4
Suggests that:
You're missing setuptools. Inside a virtualenv (you did activate your virtualenv, right?) this seems implausible.
You're missing part of the C toolchain - a compiler, some necessary headers, etc. Twisted includes C extensions so this seems possible. Do you have a C toolchain?
You're using an incompatible version of Python. What version of Python are you using?
But the additional certificate verification failure errors you've included suggest it's not caused by any of these. Instead, a dependency cannot be downloaded because pip can't do a TLS handshake with the PyPI server it needs to download the dependency from.
This could be caused by many different things. Can your system's browsers load https://pypi.python.org/? If not, perhaps there's something wrong system-wide: you might have outdated certificate authority certificates or there might be a man-in-the-middle attack taking place.
openssl s_client can sometimes be useful for debugging issues like these. Try:
openssl s_client -showcerts -connect pypi.python.org:443
This may give you more details about what's happening at the TLS layer. If openssl s_client also has trouble verifying the certificate, you know there's something wrong system-wide. If not, we can narrow it down to a pip or Python problem.

FWIW I was getting the same bogus error trying to install twisted:
distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('incremental>=16.10.1')
In my case I had accidentally installed an ancient setuptools that was messing up pip. It came from a python setup.py install of a zfec 1.4.22 tarball.
I fixed this by removing that setuptools (rm -rf /usr/local/lib/python2.7/dist-packages/setuptools-0*). This allowed the pip install twisted to work and allowed me to specify a version (twisted==18.9.0). The old setuptools was also causing latest twisted 19 to be installed in some situations.

Try upgrading pip packages.
sudo pip install --upgrade pip
and Twisted has two required dependencies:
Installing a C compiler
Since installing Twisted from source involves compiling C code, on OS X or Windows you’ll need to install a C compiler before you can install Twisted.
Installing zope.interface
When installing from source, before you can use Twisted, you’ll also need to install zope.interface, which you can download from the Twisted home page.
And install it with your steps or follow this link

I had a similar problem when installing Twisted on my MacBook, after trying many different ways, I successfully install Twisted using conda.
You can try it, using either Anaconda or miniconda.
https://conda.io/docs/download.html
https://stackoverflow.com/a/20994790/1294704

Python requests throwing SSL errors

This is a followup to SSLError using requests for python:
I have just installed requests on a Mac OSX 10.8.5. My first attempt at doing requests.get failed on missing certificate:
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The thread above says to look for /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/re‌​quests/cacert.pem but actually I don't even have a .../site-packages/requests directory. It's not clear to me if this should have been added by the installation (I used pip)
Further threads and the requests docs say to install certifi, so I did. But now I get a different error:
python -c 'import requests; requests.get("https://api.github.com/events")' /usr/lib/anaconda/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Traceback (most recent call last):
...
File "/usr/lib/anaconda/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
Thanks!

Notice that you're using HTTPS. As mentioned in the Requests manual
To check a host’s SSL certificate, you can use the verify argument [...] By default, verify is set to True
Here are few ways to fix that:
Update OpenSSL (probably will solve your problem)
Taken from here:
If you encounter one of the following errors:
error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown message digest algorithm
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
The software you are using might be compiled with a version too old of OpenSSL that does not take certificates signed with sha256WithRSAEncryption into account.
It requires at least OpenSSL 0.9.8o for a total management of SHA256. OpenSSl 0.9.7m only assures a partial management, for server
mode only.
Check your openssl version by
openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015
If you have a smaller version than OpenSSL0.9.8o, you have to update its version (OS X):
brew update
brew install openssl
brew link --force openssl
If that doesn't work, try this way:
brew uninstall openssl
rm -rf /usr/local/openssl
brew install openssl
there's an issue with openssl installed before OS X 10.10.3 and reinstalling it fixes it
these command lines will uninstall openssl, remove its folder from your hard-disk and install it again (the updated version)
Install certifi
Taken from here
By default Requests bundles a set of root CAs that it trusts, sourced
from the Mozilla trust store. However, these are only updated once for
each Requests version. This means that if you pin a Requests version
your certificates can become extremely out of date.
From Requests version 2.4.0 onwards, Requests will attempt to use
certificates from certifi if it is present on the system. This allows
for users to update their trusted certificates without having to
change the code that runs on their system.
For the sake of security we recommend upgrading certifi frequently!
In other word, try to install certifi, if you have Request 2.4.0 or newer:
pip install certifi
Hopefully, this will fix the problem.
Use different version of OpenSSL and Requests
Looking into it using Google, I have found that there is a problem with OpenSSL in Python 2:
https://github.com/docker/docker-py/issues/465#issuecomment-76520363
https://github.com/Homebrew/homebrew/issues/38226
https://github.com/docker/compose/issues/1484
However, I am using Python 2.7.6, Requests 2.2.1 and OpenSSL 1.0.1f 6 Jan 2014 and everything runs correctly.
Pass the certificate
In other cases, you may need to tell requests.get the path to the certificate file, if the host's certificate was signed by you.
requests.get("https://api.github.com/events", verify=True, cert=['/path/to/my/ca.crt'])
Set the verify argument to False (NOT RECOMMENDED!)
In case you want to avoid the certificate verification, you have to pass verify=False to the request.get method.
python -c 'import requests; requests.get("https://api.github.com/events", verify=False)'
or from script.py file:
import requests
res = requests.get("https://api.github.com/events", verify=False)
print res
terminal:
$ python script.py
<Response [200]>
Important: Very bad idea; You can be MITM attacked, which is a critical security vulnerability.