classification
Title: No SSL certificates when using the Mac installer
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.9
process
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: christian.heimes, dreamsorcerer, ned.deily
Priority: normal Keywords:

Created on 2021-03-04 18:53 by dreamsorcerer, last changed 2021-03-05 05:47 by ned.deily. This issue is now closed.

Messages (2)
msg388123 - (view) Author: Sam Bull (dreamsorcerer) * Date: 2021-03-04 18:53
After installing the latest version of Python on Mac OS X using the installer downloaded from python.org (https://www.python.org/ftp/python/3.9.2/python-3.9.2-macosx10.9.pkg), the installed version of Python is unable to find the system certificates.

Using the old version of Python located at /usr/local/Cellar/python/3.7.5/bin/python3, I get:

>>> ssl.create_default_context().cert_store_stats()
{'x509': 168, 'crl': 0, 'x509_ca': 168}

But, with the new version located at /Library/Frameworks/Python.framework/Versions/3.9/bin/python3, I get:

>>> ssl.create_default_context().cert_store_stats()
{'x509': 0, 'crl': 0, 'x509_ca': 0}


Looking around on the internet, this seems to be a pretty common issue on Mac, but is often getting misdiagnosed as an actual problem with the server's certificate. Because of that, nobody seems to have proposed any methods to fix it.

Examples:
https://github.com/aio-libs/aiohttp/issues/5375
https://stackoverflow.com/questions/65039677/unable-to-get-local-issuer-certificate-mac-os#comment115039330_65040851
msg388144 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2021-03-05 05:47
When installing current Pythons for macOS downloaded from python.org, you will need to run the "Install Certificates.command" file installed into the /Applications/Python 3.x" folder for the version installed. This is noted in the initial screen when running the installer:

"At the end of this install, click on Install Certificates to install a set of current SSL root certificates."

It is also described in more detail in the "Read Me" file is also displayed by the installer and a copy of which is also installed in the /Applications/Python 3.x folder.

"Certificate verification and OpenSSL

This package includes its own private copy of OpenSSL 1.1.1.   The trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility are not used as defaults by the Python ssl module.  A sample command script is included in /Applications/Python 3.9 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.org/project/certifi/).  Double-click on Install Certificates to run it.

The bundled pip has its own default certificate store for verifying download connections."

The installer also opens the /Applications/Python 3.x folder in a Finder window to make all of these files immediately accessible.
History
Date User Action Args
2021-03-05 05:47:32ned.deilysetstatus: open -> closed

nosy: + ned.deily
messages: + msg388144

resolution: not a bug
stage: resolved
2021-03-04 18:53:25dreamsorcerercreate