Unable to install Python deps using pip: "Certificate did not match expected hostname: files.pythonhosted.org."

We are using a standard trusty build (and ergo the pre-packaged Python 2.7 dist) and are currently unable to install Python dependencies with pip due to an InsecurePlatformWarning.

$ pip install --user "awscli<2.0"
Collecting awscli<2.0
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
  Certificate did not match expected hostname: files.pythonhosted.org. Certificate: {'notAfter': 'Apr 28 19:20:25 2021 GMT', 'subjectAltName': (('DNS', 'r.ssl.fastly.net'), ('DNS', '*.catchpoint.com'), ('DNS', '*.cnn.io'), ('DNS', '*.dollarshaveclub.com'), ('DNS', '*.eater.com'), ('DNS', '*.fastly.picmonkey.com'), ('DNS', '*.files.saymedia-content.com'), ('DNS', '*.ft.com'), ('DNS', '*.meetupstatic.com'), ('DNS', '*.nfl.com'), ('DNS', '*.pagar.me'), ('DNS', '*.picmonkey.com'), ('DNS', '*.realself.com'), ('DNS', '*.sbnation.com'), ('DNS', '*.shakr.com'), ('DNS', '*.streamable.com'), ('DNS', '*.surfly.com'), ('DNS', '*.theverge.com'), ('DNS', '*.thrillist.com'), ('DNS', '*.vox-cdn.com'), ('DNS', '*.vox.com'), ('DNS', '*.voxmedia.com'), ('DNS', 'eater.com'), ('DNS', 'ft.com'), ('DNS', 'i.gse.io'), ('DNS', 'picmonkey.com'), ('DNS', 'realself.com'), ('DNS', 'static.wixstatic.com'), ('DNS', 'streamable.com'), ('DNS', 'surfly.com'), ('DNS', 'theverge.com'), ('DNS', 'vox-cdn.com'), ('DNS', 'vox.com'), ('DNS', 'www.joyent.com')), 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'San Francisco'),), (('organizationName', u'Fastly, Inc'),), (('commonName', u'r.ssl.fastly.net'),))}
Exception:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.7/dist-packages/pip/commands/install.py", line 335, in run
    wb.build(autobuilding=True)
  File "/usr/local/lib/python2.7/dist-packages/pip/wheel.py", line 749, in build
    self.requirement_set.prepare_files(self.finder)
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_set.py", line 380, in prepare_files
    ignore_dependencies=self.ignore_dependencies))
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_set.py", line 620, in _prepare_file
    session=self.session, hashes=hashes)
  File "/usr/local/lib/python2.7/dist-packages/pip/download.py", line 821, in unpack_url
    hashes=hashes
  File "/usr/local/lib/python2.7/dist-packages/pip/download.py", line 659, in unpack_http_url
    hashes)
  File "/usr/local/lib/python2.7/dist-packages/pip/download.py", line 853, in _download_http_url
    stream=True,
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/sessions.py", line 488, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pip/download.py", line 386, in request
    return super(PipSession, self).request(method, url, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/cachecontrol/adapter.py", line 47, in send
    resp = super(CacheControlAdapter, self).send(request, **kw)
  File "/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)

More to come…

Looks like a certificate problem at the remore server. It’s fixed now.

Looks like it’s happening again, this time for python 2.6.
Here’s my config for python 2.6 (trusty).
Any workaround for this?

@Xonshiz That’s