Pip: PIP under Debian wheezy don't work with "HTTP Error 403: SSL is required"

That version of pip is ancient. You should upgrade to the latest version. If it's the pip supplied with your OS, use your OS tools to get a newer version of pip. If your OS vendor doesn't provide a newer version, then you can use get-pip.py (see the documentation for details). You should also ask your OS vendor why they are not providing a more up to date version of pip...

It's really weird, because Wheezy end-of-life is planned at May 2018

It's old, the current debian stable is 9, and you have 7. That one is still supported but I presume only bad security issues.

Newer debian stable releases have a backports repo, where you can find some newer software compiled with the older libraries.

Unfortunally, I have this version deployed at prod, so, I can't upgrade ASAP.
Yep, this is old version, but why to block non-SSL access to repo?

It's the final stage of a security fix that we've been implementing for a while now. HTTP access to PyPI is inherently insecure. For a long time we've been telling people to change, and we've been redirecting HTTP access to HTTPS as a stopgap to help people who need time to make that change (there's still security risks with redirection, which is why it's not an acceptable permanent solution). We've now finally switched off the redirects, because people have had plenty of time. Unfortunately, we know there's some people who haven't made the change, relying on the redirects, but there's not much we can do about that. IMO, Debian should either have provided an upgrade path to newer versions of pip some time ago, or if they decided they didn't want to introduce the new functionality that would include, then they should have patched their version of the code to use HTTPS, and maintained that as a local security fix.

You could download needed files locally, store them on the server and use --find-links as a workaround. Or use a local PyPI mirror, using something like devpi. Neither option is ideal, I appreciate, but they may help you get around your immediate issues while you look for a better long-term solution.

Thanks for detailed answer.

To be clear here, the security implication is that anyone in a position to MITM your connection to PyPI can execute arbitrary Python code on the machine that you're running pip install ... on. Obviously this is incredibly dangerous because it means that anyone with a privileged position on the network effectively has root on all of your machine, which is pretty much one of the worst case scenarios security wise.

You can work around this by simply updating pip to use the HTTPS URL, such as pip install -i https://pypi.python.org/simple/ ... but I recommend against only doing that, because unless you're using a version of pip >= 1.3, then even using HTTPS won't protect you from the above attack because it doesn't properly validate the HTTPS connection. It is a shame that Debian never provided a security update to python-pip in their repositories, but since they did not, your best options are going to be to find a way to get an updated version of pip and use that instead.

I'm going to go ahead and close this, since there's nothing actionable here for us to do.

Thanks for @dstufft ,

I can setup the Ansible 2.4.1 on Debian 7, now.

https://github.com/chusiang/ansible-jupyter.dockerfile/commit/51e7a684e80e61b3880d717505f6fd6c2992d2f5

Got a same error when installing ansible with pip.

• Ubuntu 17.10
• Python 3.6.2(pyenv)
• pip 9.0.1

$ pip install -v ansible
Collecting ansible
  1 location(s) to search for versions of ansible:
  * http://pypi.python.org/simple/ansible/
  Getting page http://pypi.python.org/simple/ansible/
  Starting new HTTP connection (1): pypi.python.org
  "GET /simple/ansible/ HTTP/1.1" 403 16
  Could not fetch URL http://pypi.python.org/simple/ansible/: 403 Client Error: SSL is required for url: http://pypi.python.org/simple/ansible/ - skipping
  Could not find a version that satisfies the requirement ansible (from versions: )
Cleaning up...
No matching distribution found for ansible
Exception information:
Traceback (most recent call last):
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/commands/install.py", line 324, in run
    requirement_set.prepare_files(finder)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 380, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_set.py", line 554, in _prepare_file
    require_hashes
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/req/req_install.py", line 278, in populate_link
    self.link = finder.find_requirement(self, upgrade)
  File "/path/to/.pyenv/versions/3.6.2/lib/python3.6/site-packages/pip/index.py", line 514, in find_requirement
    'No matching distribution found for %s' % req
pip.exceptions.DistributionNotFound: No matching distribution found for ansible

Check your pip's configuration: https://pip.pypa.io/en/stable/user_guide/#configuration and see if you've overridden the index pip uses.

Sorry for bothering you.

Got it.
pip install -v ansible -i https://pypi.python.org/simple/

Or pip.conf

[global]
timeout = 60
index-url = https://pypi.python.org/simple

I had the same issue, and was also accused of changing settings.

If anyone wants a dodgy copy-pasta from someone who doesn't know what they're talking about, please use this: sudo pip install --upgrade -v pip -i https://pypi.python.org/simple/ followed by a reboot. I needed to create the config file too. See https://pip.pypa.io/en/stable/user_guide/#config-file for where.

Creating a config file doesn't stop me getting the same error.

/usr/bin/pip-3.2 run on Mon Nov 20 22:00:28 2017
Downloading/unpacking sn3218

  Getting page http://pypi.python.org/simple/sn3218
  Could not fetch URL http://pypi.python.org/simple/sn3218: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/sn3218 when looking for download links for sn3218
  Getting page http://pypi.python.org/simple/
  Could not fetch URL http://pypi.python.org/simple/: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/ when looking for download links for sn3218
  Cannot fetch index base URL http://pypi.python.org/simple/

  URLs to search for versions for sn3218:
  * http://pypi.python.org/simple/sn3218/
  Getting page http://pypi.python.org/simple/sn3218/
  Could not fetch URL http://pypi.python.org/simple/sn3218/: HTTP Error 403: SSL is required
  Will skip URL http://pypi.python.org/simple/sn3218/ when looking for download links for sn3218
  Could not find any downloads that satisfy the requirement sn3218

No distributions at all found for sn3218

Exception information:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/pip/basecommand.py", line 104, in main
    status = self.run(options, args)
  File "/usr/lib/python3/dist-packages/pip/commands/install.py", line 245, in run
    requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
  File "/usr/lib/python3/dist-packages/pip/req.py", line 978, in prepare_files
    url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
  File "/usr/lib/python3/dist-packages/pip/index.py", line 157, in find_requirement
    raise DistributionNotFound('No distributions at all found for %s' % req)
pip.exceptions.DistributionNotFound: No distributions at all found for sn3218

You can manually update pip on wheezy per https://pip.pypa.io/en/stable/installing/#installing-with-get-pip-py

cd ~
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
sudo python get-pip.py
rm get-pip.py

I needed to install python-dateutil for my PI-TIMOLO project and it was failing on wheezy due to ssl problem. I was able to update pip to the latest version on my Raspberry Pi running Raspbian Wheezy per commands above. Now pip does the installs OK without ssl failure.
Claude ...

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.