I propose to clarify the
SSL: CERTIFICATE_VERIFY_FAILED error message on macOS to encourage users to install the appropriate certificates rather than just deactivating SSL verification.
The Python installer for macOS does not automatically install the SSL root certificates, and many users don’t notice the message recommending that they run
Install Certificates.command. As a result, the
SSL: CERTIFICATE_VERIFY_FAILED error is very common.
import ssl ssl._create_default_https_context = ssl._create_unverified_context
or by setting the
PYTHONHTTPSVERIFY environment variable to
This is obviously a terrible idea from a security perspective!
I don’t know how many people use SSL without SSL verification, and how many unsafe projects are in production, but judging by how frequently this issue pops up in my repos and in many others, I’d guess quite a lot.
One option would be to make sure that the Python installer installs SSL certificates unless the user opts out. That might be my preferred solution.
But until this happens, we could at the very least improve the error message to encourage the user to install SSL root certificates (e.g., by using pip install certifi), and to strongly recommend not deactivating SSL verification.
What do you think?