SSLError with Python 3.6.x on macOS Sierra

SSLError

Have you ran into trouble with SSLErrors after upgrading to Python 3.6 on macOS Sierra?  For me, my first encounter was downloading the bokeh sample data (included here).

I finally got a chance to research exactly what was wrong.  Given that Python 3.5 was working on my machine and 3.6 was working on several linux machines, I thought that it could have been an issue with Python 3.6, unlikely as it may be.  After no bug fix version was released I realized that it must be my configuration.

Searching, I found one result related to this in the Python issue tracker: Issue 28150.  One answerer points out that Python on macOS no longer relies on Apple’s version of OpenSSL, instead it is shipped with a new one.  The gotcha: this new one does not have trust certificates installed.  All this is detailed in the Readme.

The Installer Readme

So, as the Python issue tracker mentioned, there is an entry in the installer readme.  Perhaps I should read these closer…

Certificate verification and OpenSSL

**NEW** This variant of Python 3.6 now includes its own private copy of OpenSSL 1.0.2.  Unlike previous releases, the deprecated Apple-supplied OpenSSL libraries are no longer used.  This also means that the trust certificates in system and user keychains managed by the Keychain Access application and the security command line utility are no longer used as defaults by the Python ssl module.  For 3.6.0, a sample command script is included in /Applications/Python 3.6 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.python.org/pypi/certifi).  If you choose to use certifi, you should consider subscribing to the project’s email update service to be notified when the certificate bundle is updated.

The bundled pip included with the Python 3.6 installer has its own default certificate store for verifying download connections.

Two Solutions

There are two solutions as mentioned:

  • Install the certifi package.
  • Run the download script provided with the installer – /Applications/Python 3.6/Install Certificates.command.

For myself, I ran the bundled script and everything seems to be functioning fine.  It seems more than a little odd that this was not done on installation.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *