🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

pip install fails with SSL verification errors, blocking Python dependency installs and CI jobs.

Environment & Reproduction

Typical on old Ubuntu 16.04 images with outdated CA certificates, legacy OpenSSL, or intercepting proxies. Reproduce against modern PyPI TLS chain.

Root Cause Analysis

The trust store or TLS stack cannot validate current certificate chains used by package indexes. Proxy MITM certs may be missing from system trust.

Quick Triage

Test HTTPS with curl -Iv https://pypi.org/simple and inspect python -m pip debug output. Verify system time correctness with timedatectl.

Step-by-Step Diagnosis

Check ca-certificates package version, OpenSSL build details, and pip configuration files (~/.pip/pip.conf, /etc/pip.conf) for custom indexes.

Illustrative mockup for ubuntu-16-04-lts β€” ubuntu1604-b01-p14-diagnosis
pip fails with CERTIFICATE_VERIFY_FAILED β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Update ca-certificates and python tooling via apt, install org proxy CA into trust store if needed, and retry pip with validated index URL.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Illustrative mockup for ubuntu-16-04-lts β€” ubuntu1604-b01-p14-fix
updated cert store and pip installation succeeded β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use internal package mirror with approved cert chain, or vendor dependencies into artifact repositories for offline/legacy hosts.

Verification & Acceptance Criteria

pip install succeeds without insecure flags, and dependency lockfile resolution completes in CI.

Rollback Plan

Restore prior trust store snapshots and pip configuration if new CA changes break other endpoints.

Prevention & Hardening

Rotate and distribute enterprise root CAs centrally, monitor certificate expiry, and avoid –trusted-host bypasses in production scripts.

Associated with apt HTTPS failures, clock drift, and proxy authentication misconfiguration.

Related tutorial: View the step-by-step tutorial for Ubuntu 16.04 LTS.

View all Ubuntu 16.04 LTS tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

pip documentation, Python packaging TLS guidance, and Ubuntu CA certificate management docs.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.