pip "SSL: CERTIFICATE_VERIFY_FAILED" - Fix TLS Errors in CI
pip could not verify the TLS certificate of the index it is talking to. Either the runner is missing CA certificates, or a corporate proxy is presenting its own certificate that the runner does not trust.
What this error means
pip fails to reach PyPI (or a mirror) with an SSL error during the TLS handshake. It happens before any package downloads and is often environment-specific - it passes on a developer machine but fails on a bare CI image.
Could not fetch URL https://pypi.org/simple/requests/: There was a problem
confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443):
Max retries exceeded ... [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
unable to get local issuer certificate (_ssl.c:1006)Common causes
Missing or stale CA certificates on the runner
A minimal container image may not ship ca-certificates, so Python has no trust store to validate PyPI’s certificate against.
A proxy or firewall doing TLS interception
Corporate proxies re-sign HTTPS with their own root CA. Unless that root is in the runner’s trust store, every verification fails.
How to fix it
Install CA certificates and refresh certifi
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificates
pip install --upgrade certifiTrust the proxy’s root CA
When a proxy intercepts TLS, point pip at the proxy’s CA bundle rather than disabling verification.
pip install --cert /etc/ssl/certs/corporate-root.pem -r requirements.txt
# or persist it
export PIP_CERT=/etc/ssl/certs/corporate-root.pemHow to prevent it
- Use a runner image with
ca-certificatespreinstalled. - Provide the corporate root CA to the trust store, not per-command flags.
- Keep
certifireasonably current in CI.