python SSL certificate validation fails on some distribution commands

Question

I'm trying to upload a Python file to PyPi via twine upload <file> but I get an SSL error:

C:\pypubsub>twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl
Uploading distributions to https://upload.pypi.org/legacy/
Uploading PyPubSub-4.0.0rc1-py3-none-any.whl
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

Other Python scripts that use SSL have the same problem, for example

• with python setup.py bdist_wheel upload <my_package>
• with pip install <any_package>; but there I can add --trusted-host pypi.python.org to any pip install command and the installation and downloading of dependencies will succeed

This happens on my corporate laptop whether at home or work, but it doesn't happen on my personal laptop.

To get around this, I basically tried SO answer to similar problem (ie export the certificate that twine is trying to validate -- presumably that of pypi.python.org -- and then tell twine to use it):

1. from chrome, I went to https://pypi.pythong.org, clicked the lock next to the URL, then Details, View Certificate, Details, Copy to File. This generated a .CER file.
2. I used SSL Converter to convert the .CER file from DER format to PEM format. This created a .CRT file.
3. I ran twine as twine upload <my_package> --cert <path to CRT file>; this time the SSL error was SSLError: [SSL] PEM lib (_ssl.c:2846).

I then tried opting out of server certificate validation by patching c:\Python35\lib\ssl.py as described in Opting Out: I replaced the line _create_default_https_context = create_default_context by _create_default_https_context = _create_unverified_context. Re-running the twine command failed again with original CERTIFICATE_VERIFY_FAILED error.

I'm not all that familiar with certificates so I'm at a loss now what else to try.

Answer 1

You can pass a --cert flag to tell twine which certificate to use.

twine upload dist\PyPubSub-4.0.0rc1-py3-none-any.whl --cert <path-to-.pem-file>

To covert a .cer to a .pem file, do the following.

openssl x509 -inform der -in certificate.cer -out certificate.pem

The --cert flag is essential for one who uses custom ssl certs. If you're using a corporate network, the above fix should sort you out. Ask your admin for the ssl certs :)