pip can't install from pypi.org on Windows because of missing root certificate

[usiems]

Description

I installed the official Python 3.13.5 on a computer with Windows 10 Enterprise (22H2). I tried the following command:
python -m pip install permutation
I get the following output:

WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))': /simple/permutation/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))': /simple/permutation/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))': /simple/permutation/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))': /simple/permutation/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))': /simple/permutation/
Could not fetch URL https://pypi.org/simple/permutation/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/permutation/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))) - skipping
ERROR: Could not find a version that satisfies the requirement permutation (from versions: none)
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))) - skipping
ERROR: No matching distribution found for permutation

It turns out that the root certificate of pypi.org (GlobalSign Root CA - R3) wasn't installed on the machine. Installing it on the machine fixed the issue; adding the option --use-deprecated=legacy-certs to the pip command also worked (I uninstalled the certificate again to test this).

I want to add that access to the Internet for the affected computer goes through a proxy, so HTTPS_PROXY is set, just in case this somehow contributes to the problem.

Expected behavior

From reading the release notes for 24.2 (and looking at the source code as well) I got the assumption that the certificates from certifi are checked in addition to the ones from the system store, so the root certificate for pypi.org doesn't need to be installed. Am I wrong?

pip version

25.1.1

Python version

3.13.5

OS

Windows 10 Enterprise (22H2)

How to Reproduce

Uninstall the root certificate with the Friendly Name "GlobalSign Root CA - R3" from the Windows certificate store (all locations, in both the user and system stores).
Then try to install any package from pypi.org.

Output

See above.

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[ichard26]

Not sure what's wrong either, honestly, cc @sethmlarson

[sethmlarson]

So I'm immediately a little suspicious of that log output, the error message looks like OpenSSL, not Windows:

SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)'))

That tells me that OpenSSL is being used, not the Windows certificate APIs, at least on that invocation. Is that log output correct for the situation you're describing? You're not using WSL or something like that?

[usiems]

No, I'm not using WSL. And it is correct that OpenSSL is used. As far as I understand the code, the certificates are taken from the Windows certificate store and imported into an OpenSSL context. Then the certificates from certifi are also imported into the same OpenSSL context. Then the OpenSSL context is used for the socket communication, but somehow the needed root certificate is not found.

[sethmlarson]

@usiems So that's how the OpenSSL approach would work, Truststore does not do that. Truststore uses Windows certificate APIs for the verification step, so you shouldn't see OpenSSL error messages if that is actually what is happening. That's why I'm confused why you are seeing OpenSSL error messages at all if everything you're saying about your setup is correct.

[usiems]

@sethmlarson Since you were so sure that there should be no error messages from OpenSSL, I checked which functions from truststore were actually called when executing a pip install (by adding print statements).

• truststore.SSLContext.load_verify_locations was called as expected.
• truststore.inject_into_ssl was... not called?

From your statements and the comments in the code it sounded as if this might be necessary. And the pip code doesn't call this. So just for fun I added the call in pip/_internal/cli/index_command.py, just before the line

ctx = truststore.SSLContext(ssl.PROTOCOL_TLS_CLIENT) (line 47)

And suddenly it worked as expected. No more error messages. The permutation package is installed.

So it seems this call needs to be added somewhere. There is a corresponding truststore.extract_from_ssl that seems to revert the changes done by inject_into_ssl, which you also could consider (or not, since embedding of the pip code into other applications is not really supported?).