You can specify a cert with this param:

您可以使用此参数指定证书：

pip --cert /etc/ssl/certs/FOO_Root_CA.pem install linkchecker

See: Docs ? Reference Guide ? pip

请参阅：文档？参考指南 ? 点子

If specifying your company's root cert doesn't work maybe the cURL one will work: http://curl.haxx.se/ca/cacert.pem

如果指定您公司的根证书不起作用，那么 cURL 可能会起作用：http: //curl.haxx.se/ca/cacert.pem

You must use a PEM file and not a CRT file. If you have a CRT file you will need to convert the file to PEMThere are reports in the comments that this now works with a CRT file but I have not verified.

您必须使用 PEM 文件而不是 CRT 文件。如果您有 CRT 文件，则需要将文件转换为 PEM评论中有报告说这现在适用于 CRT 文件，但我尚未验证。

Also check: SSL Cert Verification.

还要检查：SSL 证书验证。

You can try to bypass the SSL error by using http instead of https. Of course this is not optimal in terms of security, but if you are in a hurry it should do the trick:

您可以尝试使用 http 而不是 https 来绕过 SSL 错误。当然，这在安全性方面不是最佳的，但是如果您赶时间，它应该可以解决问题：

pip install --index-url=http://pypi.python.org/simple/ linkchecker

I solved this problem by removing my pip and installing the older version of pip: https://pypi.python.org/pypi/pip/1.2.1

我通过删除我的 pip 并安装旧版本的 pip 解决了这个问题：https: //pypi.python.org/pypi/pip/1.2.1

Had the same problem trying pip install ftputilwith ActivePython 2.7.8, ActivePython 3.4.1, and "stock" Python 3.4.2 on 64-bit Windows 7 Enterprise. All attempts failed with the same errors as OP.

pip install ftputil在 64 位 Windows 7 Enterprise 上尝试使用 ActivePython 2.7.8、ActivePython 3.4.1 和“库存”Python 3.4.2 时遇到了同样的问题。所有尝试都失败，并出现与 OP 相同的错误。

Worked around the problem for Python 3.4.2 by downgrading to pip 1.2.1: easy_install pip==1.2.1(see https://stackoverflow.com/a/16370731/234235). Same fix also worked for ActivePython 2.7.8.

通过降级到 pip 1.2.1 解决了 Python 3.4.2 的问题：（easy_install pip==1.2.1参见https://stackoverflow.com/a/16370731/234235）。同样的修复也适用于 ActivePython 2.7.8。

The bug, reported in March 2013, is still open: https://github.com/pypa/pip/issues/829.

该漏洞于 2013 年 3 月报告，目前仍处于开放状态：https: //github.com/pypa/pip/issues/829。

I recently ran into this problem because of my company's web content filter that uses its own Certificate Authority so that it can filter SSL traffic. PIP doesn't seem to be using the system's CA certificates in my case, producing the error you mention. Downgrading PIP to version 1.2.1 presented its own set of problems later on, so I went back to the original version that came with Python 3.4.

我最近遇到了这个问题，因为我公司的 Web 内容过滤器使用自己的证书颁发机构，以便它可以过滤 SSL 流量。在我的情况下，PIP 似乎没有使用系统的 CA 证书，从而产生您提到的错误。将 PIP 降级到 1.2.1 版本之后会出现一系列问题，所以我回到了 Python 3.4 附带的原始版本。

My workaround is quite simple: use easy_install. Either it doesn't check the certs (like the old PIP version), or it knows to use the system certs because it works every time for me and I can still use PIP to uninstall packages installed with easy_install.

我的解决方法很简单：使用easy_install. 要么它不检查证书（如旧的 PIP 版本），要么它知道使用系统证书，因为它每次对我都有效，我仍然可以使用 PIP 卸载使用 easy_install 安装的软件包。

If that doesn't work and you can get access to a network or computer that doesn't have the issue, you could always setup your own personal PyPI server: how to create local own pypi repository index without mirror?

如果这不起作用并且您可以访问没有问题的网络或计算机，您始终可以设置自己的个人 PyPI 服务器：如何在没有镜像的情况下创建本地自己的 pypi 存储库索引？

I almost did that until I tried using easy_installas a last ditch effort.

我几乎做到了，直到我尝试将其easy_install用作最后的努力。

I installed pip 1.2.1 with easy_install and upgraded to latest version of pip (6.0.7 at the time) which is able to install packages in my case.

我使用easy_install安装了pip 1.2.1并升级到最新版本的pip（当时是6.0.7），它可以在我的情况下安装软件包。

easy_install pip==1.2.1
pip install --upgrade pip

The most straightforward way I've found, is to download and use the "DigiCert High Assurance EV Root CA" from DigiCert at https://www.digicert.com/digicert-root-certificates.htm#roots

我发现的最直接的方法是从 DigiCert 下载并使用“DigiCert High Assurance EV Root CA” https://www.digicert.com/digicert-root-certificates.htm#roots

You can visit https://pypi.python.org/to verify the cert issuer by clicking on the lock icon in the address bar, or increase your geek cred by using openssl:

您可以访问https://pypi.python.org/通过单击地址栏中的锁定图标来验证证书颁发者，或使用 openssl 增加您的极客信誉：

$ openssl s_client -connect pypi.python.org:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro,/O=Python Software Foundation/CN=www.python.org
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA

The last CN value in the certificate chain is the name of the CA that you need to download.

证书链中的最后一个 CN 值是您需要下载的 CA 的名称。

For a one-off effort, do the following:

对于一次性的努力，请执行以下操作：

1. Download the CRTfrom DigiCert
2. Convert the CRT to PEM format
3. Export the PIP_CERT environment variable to the path of the PEM file

1. 从 DigiCert下载CRT
2. 将 CRT 转换为 PEM 格式
3. 将 PIP_CERT 环境变量导出到 PEM 文件的路径

(the last line assumes you are using the bash shell) before running pip.

（最后一行假设您正在使用 bash shell）在运行 pip 之前。

curl -sO http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt 
openssl x509 -inform DES -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.pem -text
export PIP_CERT=`pwd`/DigiCertHighAssuranceEVRootCA.pem

To make this re-usable, put DigiCertHighAssuranceEVRootCA.crt somewhere common and export PIP_CERT accordingly in your ~/.bashrc.

要使其可重用，请将 DigiCertHighAssuranceEVRootCA.crt 放在某个常见的地方，并在您的 ~/.bashrc 中相应地导出 PIP_CERT。

-----> pip install gensim config --global http.sslVerify false

-----> pip install gensim config --global http.sslVerify false

Just install any package with the "config --global http.sslVerify false" statement

只需使用“config --global http.sslVerify false”语句安装任何包

You can ignore SSL errors by setting pypi.organd files.pythonhosted.orgas trusted hosts.

您可以通过设置pypi.org和files.pythonhosted.org作为受信任的主机来忽略 SSL 错误。

$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package_name>

Note: Sometime during April 2018, the Python Package Indexwas migrated from pypi.python.orgto pypi.org. This means "trusted-host" commands using the old domain no longer work.

注：2018年4月期间的某个时间，Python包指数从迁移pypi.python.org到pypi.org。这意味着使用旧域的“可信主机”命令不再有效。

Permanent Fix

永久修复

Since the release of pip 10.0, you should be able to fix this permanently just by upgrading pipitself:

自 pip 10.0 发布以来，您应该能够通过升级pip自身来永久修复此问题：

$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools

Or by just reinstalling itto get the latest version:

或者只是重新安装它以获得最新版本：

$ curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

(…?and then running get-pip.pywith the relevant Python interpreter).

（...？然后get-pip.py使用相关的 Python 解释器运行）。

pip install <otherpackage>should just work after this. If not, then you will need to do more, as explained below.

pip install <otherpackage>应该在这之后工作。如果没有，那么您将需要做更多的事情，如下所述。

You may want to add the trusted hosts and proxy to your config file.

您可能希望将受信任的主机和代理添加到您的配置文件中。

pip.ini(Windows) or pip.conf(unix)

pip.ini(Windows) 或pip.conf(Unix)

[global]
trusted-host = pypi.python.org
               pypi.org
               files.pythonhosted.org

Alternate Solutions (Less secure)

替代解决方案（安全性较低）

Most of the answers could pose a security issue.

大多数答案可能会造成安全问题。

Two of the workarounds that help in installing most of the python packages with ease would be:

有助于轻松安装大多数 python 包的两种解决方法是：

• Using easy_install: if you are really lazy and don't want to waste much time, use easy_install <package_name>. Note that some packages won't be found or will give small errors.
• Using Wheel: download the Wheel of the python packageand use the pip command pip install wheel_package_name.whlto install the package.

• 使用 easy_install：如果你真的很懒，不想浪费太多时间，使用easy_install <package_name>. 请注意，某些软件包将无法找到或会出现小错误。
• 使用 Wheel：下载python 包的Wheel并使用 pip 命令pip install wheel_package_name.whl安装包。

You've the following possibilities to solve issue with CERTIFICATE_VERIFY_FAILED:

您可以通过以下方式解决问题CERTIFICATE_VERIFY_FAILED：

• Use HTTP instead of HTTPS (e.g. --index-url=http://pypi.python.org/simple/).

• Use --cert <trusted.pem>or CA_BUNDLEvariable to specify alternative CA bundle.

  E.g. you can go to failing URL from web-browser and import root certificate into your system.

• Run python -c "import ssl; print(ssl.get_default_verify_paths())"to check the current one (validate if exists).

• OpenSSL has a pair of environments (SSL_CERT_DIR, SSL_CERT_FILE) which can be used to specify different certificate database^PEP-476.
• Use --trusted-host <hostname>to mark the host as trusted.
• In Python use verify=Falsefor requests.get(see: SSL Cert Verification).
• Use --proxy <proxy>to avoid certificate checks.

• 使用 HTTP 而不是 HTTPS（例如--index-url=http://pypi.python.org/simple/）。

• 使用--cert <trusted.pem>或CA_BUNDLE变量来指定替代 CA 包。

  例如，您可以从网络浏览器转到失败的 URL 并将根证书导入您的系统。

• 运行python -c "import ssl; print(ssl.get_default_verify_paths())"以检查当前的（验证是否存在）。

• OpenSSL 有一对环境 ( SSL_CERT_DIR, SSL_CERT_FILE) 可用于指定不同的证书数据库^PEP-476。
• 用于--trusted-host <hostname>将主机标记为受信任。
• 在 Python 中使用verify=Falsefor requests.get（请参阅：SSL 证书验证）。
• 使用--proxy <proxy>以避免证书检查。

Read more at: TLS/SSL wrapper for socket objects - Verifying certificates.

阅读更多内容：套接字对象的 TLS/SSL 包装器 - 验证证书。

kenorb's answeris very useful (and great!).
Among his solutions, maybe this is the most simple one: --trusted-host

kenorb 的回答非常有用（而且很棒！）。
在他的解决方案中，也许这是最简单的一个： --trusted-host

For example, in this case you can do

例如，在这种情况下，您可以执行

pip install --trusted-host pypi.python.org linkchecker

The pem file(or anything else) is unnecessary.

pem 文件（或其他任何文件）是不必要的。