Invalid peer certificate issue with latest version

Anki Help
1

I’m behind a corporate proxy with a Mac and using the latest version (installed using homebrew) gives me the following error:

Checking for updates...
Unable to check for Anki versions. Please check your internet connection.

Error: Failed to run (2): /Applications/Anki.app/Contents/MacOS/uv run --no-project --no-config --managed-python --with pip-system-certs,requests[socks] --python 3.13.5 /Applications/Anki.app/Contents/Resources/versions.py: error: Failed to download https://github.com/astral-sh/python-build-standalone/releases/download/20250612/cpython-3.13.5%2B20250612-aarch64-apple-darwin-install_only_stripped.tar.gz
  Caused by: Request failed after 3 retries
  Caused by: error sending request for url (https://github.com/astral-sh/python-build-standalone/releases/download/20250612/cpython-3.13.5%2B20250612-aarch64-apple-darwin-install_only_stripped.tar.gz)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer

There have been a few topics related to this. I wanted to add a link, but it wouldn’t let me… :confused:

The solution/workaround there is to use an older version. I’ve manually installed 25.02.7 and I can confirm that it still works there.

However, I’m wondering if this issue is being addressed? All the other topics have been automatically closed due to inactivity. And I haven’t found a corresponding issue on Github. I don’t completely understand what the process would be. Should I create an issue on Github? Or is this somewhere on the radar?

On a similar note, Anki doesn’t pick up my corporate proxy settings correctly if I start it using the application icon. I have to start it manually from a terminal where the http_proxy and https_proxy env variables are set accordingly, then it works. Any thoughts on how to fix this?

2 Likes
2

Tried to link the related issue, but can’t. It’s named “Installation error - invalid peer certificate - –native-tls?”, but there are others. This one is from August 22nd.

1 Like
3

In that case, probably there is noone working on it yet. Dae and abdo read the forums every few weeks and add entries to the issues tab on github. They might have missed the previous reports though.

It would be great if you could provide as many detailed infos as possible here on the forums, including steps to reproduce. Then, once a dev sees your report, it’ll be added to githubs issues. After that, either the devs or volunteers can work on it. You shouldn’t create an issue on github though, as the forums is prefered for this.

New users cannot send links. You can add a link by using code blocks though, like this forums.ankiweb.net. Anyways, thanks for providing the title. I’ll link it here: Installation error - invalid peer certificate - --native-tls?.

1 Like
4

Thanks a lot for the feedback. I’ll try to add more details. Reproduction will obviously depend on the networking infrastructure, but I could imagine that there are a few people that site behind a proxy…

System configuration:

  • Mac Book Pro, Sequoia 15.7.1 (but I guess the OS shouldn’t matter that much)
  • Access to Internet only via PreProxy, https://apps.apple.com/us/app/preproxy/id1237580019?mt=12
    - The PreProxy sits between the local application and the remote proxy, handling authentication, so the local application can use the proxy unauthenticated.
  • The proxy is set in both system settings as well as in the HTTP_PROXY and HTTPS_PROXY env variables

Problem 1 (with version 25.02.7, but also earlier and later):

  • Starting Anki via the regular application icon does not work - or rather in this case, it will for some reason not pick up the proxy settings and will not be able to sync any data from the Internet.
  • The workaround is to open a terminal (which will have the proxy env variables set), go to the directory /Application/Anki.app/Contents/MacOS and start ./anki from the terminal. Then, it will pick up the proxy settings correctly and everything works.

Problem 2 (versions > 25.02.7, including latest 25.09 available on homebrew):

  • With the new launcher, I cannot start the application at all. When the launcher checks for updates, there will be a invalid peer certificate: UnknownIssuer error. This is most likely due to the fact that the corporate reverse proxy will intercept https traffic and re-encrypt it using the corporate certificate.
  • This certificate is obviously stored in the system, but Anki doesn’t seem to consider it
  • There seems to be a flag –native-tls for Python that might fix this issue. But when I try to run the uv run command without the launcher, it doesn’t work at all, probably due to some missing Python setup.

Required Fix:
So in short I would say the following fixes would be required:

  1. Use the proxy configuration from the system and/or allow to manually configure a proxy
  2. Use the SSL certificates from the system and/or allow to ignore invalid certificates (which is obviously not ideal)

Thanks a lot

P.S. I cannot say if this problem only occurs on MacOS as this is currently my only machine with a corporate proxy setup. I also use Anki on Windows, Linux and Android, but there I have direct internet access and no issues…

2 Likes
5

Maybe try running the launcher with UV_NATIVE_TLS=1

EDIT: Sorry, this won’t do anything as the launcher helpfully removes all UV_* env vars beforehand. Opened a pr to get the launcher to set it, which should fix this

3 Likes
6

I can confirm that it doesn’t work with 25.09.

Hm, you wouldn’t know if the launcher also does something with the HTTP_PROXY / HTTPS_PROXY variables? Hopefully not…

7

uv should pick those up automatically (Environment variables | uv), it’s just a question of telling it to use the system certstore

8

Anki installer fails to run after checking for the updates, it shows “ Error: Failed to run (2):”

image
image1490×717 58.1 KB

9

Probably related to Invalid peer certificate issue with latest version - Anki / Help - Anki Forums

10

Is there no way to just disable the Update Check, and let users upgrade when they WANT to upgrade. That would be the easiest path forward, just give us an option to disable the check.

1 Like
11

Is there any update on this? Honestly, I don’t quite understand how the new setup is supposed to work. Does it include the Anki application at all or will that have to be downloaded by the installer upon first startup?

Here is some terminal interaction to show how it looks like after I’ve installed the latest available version 25.09 of Anki using brew

  https://docs.brew.sh
Anki.app % brew info anki
==> anki: 25.09
https://apps.ankiweb.net/
Installed
/opt/homebrew/Caskroom/anki/25.09 (77.7MB)
  Installed using the formulae.brew.sh API on 2025-11-14 at 15:13:51
From: https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/a/anki.rb
==> Name
Anki
==> Description
Memory training application
==> Artifacts
Anki.app (App)
==> Analytics
install: 1,336 (30 days), 4,176 (90 days), 13,644 (365 days)
Anki.app % find .
.
./Contents
./Contents/CodeResources
./Contents/_CodeSignature
./Contents/_CodeSignature/CodeResources
./Contents/MacOS
./Contents/MacOS/launcher
./Contents/MacOS/uv
./Contents/MacOS/install_name_tool
./Contents/Resources
./Contents/Resources/pyproject.toml
./Contents/Resources/Assets.car
./Contents/Resources/.python-version
./Contents/Resources/versions.py
./Contents/Info.plist
Anki.app % cd Contents/MacOS 
MacOS % ./launcher

Anki Launcher

1) Latest Anki (press Enter)
2) Choose a version

5) Allow betas: off
6) Cache downloads: on
7) Download mirror: off

8) Uninstall
> 

Checking for updates...
Updating Anki...

error: Failed to download https://github.com/astral-sh/python-build-standalone/releases/download/20250612/cpython-3.13.5%2B20250612-aarch64-apple-darwin-install_only_stripped.tar.gz
  Caused by: Request failed after 3 retries
  Caused by: error sending request for url (https://github.com/astral-sh/python-build-standalone/releases/download/20250612/cpython-3.13.5%2B20250612-aarch64-apple-darwin-install_only_stripped.tar.gz)
  Caused by: client error (Connect)
  Caused by: invalid peer certificate: UnknownIssuer
Install failed: Failed to run (2): /Applications/Anki.app/Contents/MacOS/uv sync --upgrade --no-config --managed-python --python 3.13.5

Error: Failed to run (2): /Applications/Anki.app/Contents/MacOS/uv sync --upgrade --no-config --managed-python --python 3.13.5
Press enter to close...

MacOS % ./uv run --no-project --no-config --managed-python --with 'pip-system-certs,requests[socks]' --python 3.13.5 /Applications/Anki.app/Contents/Resources/versions.py             
["2.1.24", "2.1.25", "2.1.26", "2.1.28", "2.1.29", "2.1.30", "2.1.31", "2.1.32", "2.1.33", "2.1.34", "2.1.35", "2.1.36", "2.1.37rc1", "2.1.37", "2.1.38b1", "2.1.38b2", "2.1.38b3", "2.1.38b4", "2.1.38", "2.1.39b1", "2.1.39b2", "2.1.39", "2.1.40", "2.1.41b1", "2.1.41b2", "2.1.41b3", "2.1.41b4", "2.1.41b5", "2.1.41b6", "2.1.41b7", "2.1.41", "2.1.42", "2.1.43b1", "2.1.43", "2.1.44b1", "2.1.44", "2.1.45a1", "2.1.45a2", "2.1.45a3", "2.1.45a4", "2.1.45b1", "2.1.45b2", "2.1.45b3", "2.1.45b4", "2.1.45b5", "2.1.45b6", "2.1.45rc1", "2.1.45rc2", "2.1.45", "2.1.46rc1", "2.1.46", "2.1.47rc1", "2.1.47rc2", "2.1.47", "2.1.48rc1", "2.1.48rc2", "2.1.48", "2.1.49", "2.1.50b1", "2.1.50b2", "2.1.50b3", "2.1.50b4", "2.1.50b5", "2.1.50b6", "2.1.50b7", "2.1.50b8", "2.1.50b9", "2.1.50rc1", "2.1.50rc2", "2.1.50rc3", "2.1.50rc4", "2.1.50", "2.1.51rc1", "2.1.51rc2", "2.1.51", "2.1.52rc1", "2.1.52rc2", "2.1.52rc3", "2.1.52", "2.1.53rc1", "2.1.53rc2", "2.1.53", "2.1.54rc1", "2.1.54rc2", "2.1.54rc3", "2.1.54", "2.1.55b1", "2.1.55b2", "2.1.55b3", "2.1.55b4", "2.1.55b6", "2.1.55b7", "2.1.55rc1", "2.1.55rc2", "2.1.55", "2.1.56rc1", "2.1.56", "2.1.57b1", "2.1.57rc1", "2.1.57", "2.1.58", "2.1.59", "2.1.60", "2.1.61b1", "2.1.61b2", "2.1.61", "2.1.62b1", "2.1.62rc1", "2.1.62", "2.1.63", "2.1.64", "2.1.65", "2.1.66b1", "2.1.66rc1", "2.1.66", "23.10b1", "23.10b2", "23.10b3", "23.10b4", "23.10b5", "23.10b6", "23.10rc1", "23.10rc2", "23.10rc3", "23.10", "23.10.1rc1", "23.10.1rc2", "23.10.1", "23.12b1", "23.12b2", "23.12b3", "23.12rc1", "23.12", "23.12.1", "24.4rc1", "24.4rc2", "24.4", "24.4.1", "24.6", "24.6.1", "24.6.2", "24.6.3", "24.10b1", "24.10b2", "24.10b3", "24.10b4", "24.10rc1", "24.10rc2", "24.11rc1", "24.11rc2", "24.11", "25.1b1", "25.1rc1", "25.2rc1", "25.2", "25.2.1", "25.2.2", "25.2.3", "25.2.4", "25.5b1", "25.5b2", "25.2.5", "25.2.6", "25.2.7", "25.6b1", "25.6b2", "25.6b3", "25.6b4", "25.6b5", "25.6b6", "25.6b7", "25.7", "25.7.1", "25.7.2", "25.8b1", "25.8b2", "25.7.3rc1", "25.7.3", "25.7.4", "25.7.5", "25.8b3", "25.8b4", "25.8b5", "25.9rc1", "25.9", "25.9.1", "25.9.2"]
MacOS % echo $HTTP_PROXY
http://localhost:3128
MacOS % echo $HTTPS_PROXY
http://localhost:3128
MacOS %

So as you can see, the launcher fails with the certificate error. But when I run the uv command manually to run the versions.py script, it works. Somehow it probably uses the certificates from my computer correctly then.

But I don’t really see an installation of Anki at all? Is there a way I can get the launcher to use my certificates correctly? Or can I somehow start Anki directly? Why doesn’t the installation just contain Anki without the launcher as it used to be and lets me update it via brew?

12

Anki runs versions.py with your system certificates, so the issue doesn’t appear there. The next Anki release will make it do so for all uv commands, which should fix your issue.

Changes had to be made here because the packaging tool Anki relied on for years is no longer being maintained.