CalcSnippets Search
Python 2 min read

How to Fix pip SSL CERTIFICATE_VERIFY_FAILED on macOS Without Disabling Verification and Hoping for the Best

A practical guide to fixing pip SSL certificate verification failures on macOS by checking Python provenance, certificate bundles, corporate interception, and trust store mismatches instead of turning SSL verification off.

Why this error wastes so much time: pip looks broken, but the real problem is usually that Python, OpenSSL, and your certificate trust chain do not agree on which roots are valid.

The error usually looks like:

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

Many bad tutorials tell you to add --trusted-host everywhere and move on. That might get one install through, but it also trains you to ignore a trust problem you have not actually understood.

Step 1: find out which Python you are using

which python3
python3 --version
python3 -m pip --version
python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"

This matters because Python from:

  1. Homebrew
  2. python.org
  3. pyenv
  4. Xcode tooling

can behave differently with certificates.

Step 2: test whether the system can reach PyPI cleanly

curl -I https://pypi.org/simple/
curl -I https://files.pythonhosted.org/

If curl also fails with certificate errors, the issue is broader than pip.

Step 3: update your CA bundle the clean way

Many Python installs rely on certifi:

python3 -m pip install --upgrade pip certifi
python3 -c "import certifi; print(certifi.where())"

If you installed Python from python.org on macOS, you may also need the bundled certificate installer that ships with that distribution.

Step 4: check for corporate interception

On company laptops, HTTPS traffic is often intercepted and re-signed by an internal root certificate. In that setup, Python may not trust the corporate root even if the browser appears fine.

You may need to export the organization CA and point pip at it:

mkdir -p ~/.config/pip
cat > ~/.config/pip/pip.conf <<'EOF'
[global]
cert = /Users/yourname/company-root-ca.pem
EOF

Replace the path with the real CA file your security team provides.

Step 5: avoid the fake permanent workaround

These commands are not a real fix:

pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org somepackage
pip install --cert /tmp/random.pem somepackage

They may be useful for targeted debugging, but if you need them permanently, your certificate chain is still unresolved.

Verification commands

After fixing the root issue, test both metadata and package download:

python3 -m pip index versions requests
python3 -m pip install requests --no-cache-dir

If both succeed without extra trust bypass flags, your environment is healthy again.

Bottom line

CERTIFICATE_VERIFY_FAILED is almost never solved by “trying harder.” It is solved by aligning Python, its CA store, and the actual network trust chain. Once those agree, pip goes back to being boring, which is exactly what you want.

Sources

Keep reading

Related guides

Python

How to Fix Externally Managed Environment Errors on macOS Without Fighting Homebrew Python the Wrong Way

A practical guide to fixing the externally managed environment error on macOS by using virtual environments, pipx, or user-scoped tools inst...

 Python

`ModuleNotFoundError` in Python Is Often Not a Missing Package, It’s a “You Installed It Into One Interpreter and Ran Another One” Problem

A practical guide to fixing Python `ModuleNotFoundError` by checking the active interpreter, virtual environment, and pip target instead of ...

 Python

FastAPI Became One of GitHub’s Biggest Backend Frameworks Because Python Teams Finally Got Tired of Choosing Between Speed and Sane Code

FastAPI sits at about 98,565 GitHub stars and remains one of the hottest Python backend frameworks. This guide explains what it does, how to...