Skip to content
Latchkey

pip "SSL: CERTIFICATE_VERIFY_FAILED" - Fix TLS Errors in CI

pip could not verify the TLS certificate of the index it is talking to. Either the runner is missing CA certificates, or a corporate proxy is presenting its own certificate that the runner does not trust.

What this error means

pip fails to reach PyPI (or a mirror) with an SSL error during the TLS handshake. It happens before any package downloads and is often environment-specific - it passes on a developer machine but fails on a bare CI image.

pip output
Could not fetch URL https://pypi.org/simple/requests/: There was a problem
confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443):
Max retries exceeded ... [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
unable to get local issuer certificate (_ssl.c:1006)

Common causes

Missing or stale CA certificates on the runner

A minimal container image may not ship ca-certificates, so Python has no trust store to validate PyPI’s certificate against.

A proxy or firewall doing TLS interception

Corporate proxies re-sign HTTPS with their own root CA. Unless that root is in the runner’s trust store, every verification fails.

How to fix it

Install CA certificates and refresh certifi

Terminal
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificates
pip install --upgrade certifi

Trust the proxy’s root CA

When a proxy intercepts TLS, point pip at the proxy’s CA bundle rather than disabling verification.

Terminal
pip install --cert /etc/ssl/certs/corporate-root.pem -r requirements.txt
# or persist it
export PIP_CERT=/etc/ssl/certs/corporate-root.pem

How to prevent it

  • Use a runner image with ca-certificates preinstalled.
  • Provide the corporate root CA to the trust store, not per-command flags.
  • Keep certifi reasonably current in CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →