Articles

Fix pip SSL Certificate Verification Errors (2026)

April 18, 2026 4 min read

The pip client is failing to connect to package repositories due to its inability to verify the SSL certificate presented by the server.

This is almost always caused by one of the following:

  1. Outdated pip version: Older versions of pip might not have the latest root certificates or might use older, less secure TLS versions that are no longer supported by repositories.

    • Diagnosis: Run pip --version. If it’s older than 20.0, this is a prime suspect.
    • Fix: Upgrade pip itself.
      python -m pip install --upgrade pip
      This works because the new pip binary will include updated certificate bundles and support for modern TLS protocols.

  2. System-level certificate store issues: Your operating system or Python installation might have a corrupted or incomplete CA (Certificate Authority) bundle. pip often relies on these system-level certificates.

    • Diagnosis: Try installing a known-good, simple package directly. If that fails with the same SSL error, it points to the system store. You can also try openssl s_client -connect pypi.org:443 -showcerts to see what certificates your system is presenting.
    • Fix: Reinstalling Python or updating your OS’s CA certificates can resolve this. On Debian/Ubuntu: sudo apt-get update && sudo apt-get install --reinstall ca-certificates. On macOS with Homebrew: brew update && brew upgrade ca-certificates. For Python installed via pyenv, you might need to recompile Python after updating system CAs. This fixes it by ensuring pip has access to a trusted, complete set of root certificates.

  3. Network proxy or firewall interference: Corporate proxies or firewalls that perform SSL inspection (man-in-the-middle) can break pip’s certificate verification if they present their own certificate that pip doesn’t trust.

    • Diagnosis: If you’re on a corporate network, this is highly likely. Try from a different network (e.g., home Wi-Fi, mobile hotspot) to confirm.
    • Fix: You can tell pip to trust a specific CA certificate provided by your proxy.
      pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package_name>
      If your proxy uses its own certificate, you can point pip to it:
      pip install --cert /path/to/your/proxy.crt <package_name>
      The --trusted-host flag bypasses verification for the specified hosts, and --cert explicitly tells pip which certificate to trust, allowing it to establish a secure connection through the proxy.

  4. Incorrect PIP_CERT environment variable: If you’ve previously set PIP_CERT to a specific certificate file or directory, and that file is now missing, incorrect, or outdated, pip will fail.

    • Diagnosis: Check your environment variables.
      echo $PIP_CERT
    • Fix: Unset the variable or point it to the correct certificate file.
      unset PIP_CERT # On Linux/macOS
# or
set PIP_CERT= # On Windows CMD
$env:PIP_CERT=$null # On PowerShell
      Or, if you intend to use a specific certificate:
      export PIP_CERT=/path/to/your/correct/certificate.pem
      This fixes it by either removing the incorrect instruction or providing pip with the correct certificate file it needs for verification.

  5. ssl_no_verify option in pip.conf: Similar to the environment variable, an explicit configuration in pip.conf might be causing issues.

    • Diagnosis: Check your pip.conf file. Common locations are ~/.config/pip/pip.conf or ~/.pip/pip.conf. Look for ssl_no_verify = true or a cert = directive that is no longer valid.
    • Fix: Remove or comment out the problematic line. For example, if you find ssl_no_verify = true, change it to # ssl_no_verify = true or delete the line. If there’s a cert = line, ensure the path is correct or remove it if you want pip to use the default system store. This corrects pip’s behavior by stopping it from ignoring SSL verification or by pointing it to the correct certificate if one was specified.

  6. Time synchronization issues: If your system clock is significantly out of sync with the current time, certificates that are valid for a specific date range will appear expired or not yet valid.

    • Diagnosis: Check your system’s date and time.
      date
    • Fix: Synchronize your system clock with an NTP server. On most Linux systems:
      sudo systemctl start systemd-timesyncd
sudo systemctl enable systemd-timesyncd
      Or manually set the time if necessary. This ensures that certificate validity periods are evaluated correctly against the current time.

After resolving these, the next error you’ll likely encounter is a FileNotFoundError if you try to install a package that has been removed from PyPI.

Want structured learning?

Take the full Pip course →