I propose to clarify the SSL: CERTIFICATE_VERIFY_FAILED
error message on macOS to encourage users to install the appropriate certificates rather than just deactivating SSL verification.
The Python installer for macOS does not automatically install the SSL root certificates, and many users don’t notice the message recommending that they run Install Certificates.command
. As a result, the SSL: CERTIFICATE_VERIFY_FAILED
error is very common.
Sadly, a very popular “solution” found online (here or there, for example) is to simply deactivate SSL verification, typically by running:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
or by setting the PYTHONHTTPSVERIFY
environment variable to 0
.
This is obviously a terrible idea from a security perspective!
I don’t know how many people use SSL without SSL verification, and how many unsafe projects are in production, but judging by how frequently this issue pops up in my repos and in many others, I’d guess quite a lot.
One option would be to make sure that the Python installer installs SSL certificates unless the user opts out. That might be my preferred solution.
But until this happens, we could at the very least improve the error message to encourage the user to install SSL root certificates (e.g., by using pip install certifi), and to strongly recommend not deactivating SSL verification.
What do you think?