# ERROR: Could not install packages due to a TLS/SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1129) - **ID:** `pip/tls-ssl-certificate-verify-failed-self-signed` - **Domain:** pip - **Category:** network_error - **Error Code:** `ERROR` - **Verification:** ai_generated - **Fix Rate:** 88% ## Root Cause The remote server (e.g., a private PyPI mirror or corporate proxy) presents a self-signed SSL certificate that is not trusted by the system's certificate store, causing pip to reject the connection. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | pip 20.3 | active | — | — | | pip 22.0.4 | active | — | — | | pip 23.2 | active | — | — | ## Workarounds 1. **Add the server to trusted hosts: `pip install --trusted-host ` (e.g., `pip install mypackage --trusted-host pypi.example.com`). This disables SSL verification for that host.** (90% success) ``` Add the server to trusted hosts: `pip install --trusted-host ` (e.g., `pip install mypackage --trusted-host pypi.example.com`). This disables SSL verification for that host. ``` 2. **Install the self-signed certificate into the system's trust store: on Linux, copy the .crt file to `/usr/local/share/ca-certificates/` and run `update-ca-certificates`; on macOS, add to Keychain and mark as trusted.** (85% success) ``` Install the self-signed certificate into the system's trust store: on Linux, copy the .crt file to `/usr/local/share/ca-certificates/` and run `update-ca-certificates`; on macOS, add to Keychain and mark as trusted. ``` ## Dead Ends - **** — This only changes installation location, not SSL verification; the certificate error persists. (95% fail) - **** — If the provided certificate is not the exact CA that signed the server certificate, or if the file path is incorrect, pip will still fail with the same error. (80% fail)