Skip to content
Latchkey

pip "SSLError: CERTIFICATE_VERIFY_FAILED" in CI

pip established a TLS connection but could not validate the server certificate chain against the runner's CA bundle. The handshake aborts before any package downloads.

What this error means

pip fails with "Could not fetch URL ...: There was a problem confirming the ssl certificate: ... CERTIFICATE_VERIFY_FAILED". It often hits a corporate mirror or proxy that injects its own certificate.

pip
Could not fetch URL https://pypi.org/simple/requests/: There was a problem confirming
the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries
exceeded with url: /simple/requests/ (Caused by SSLError(
SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed')))

Common causes

A proxy or mirror presents an untrusted certificate

A corporate TLS-inspecting proxy or self-hosted mirror serves a certificate signed by a CA not in the runner's trust store.

An outdated or missing CA bundle on the runner

A slim image with stale ca-certificates cannot validate modern certificate chains.

How to fix it

Trust the proxy CA properly

Point pip and requests at the corporate CA bundle instead of disabling verification.

Terminal
export PIP_CERT=/etc/ssl/certs/corp-ca.pem
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corp-ca.pem
pip install -r requirements.txt

Update the runner CA store

Refresh ca-certificates so the chain validates without ad hoc bundles.

Terminal
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificates

How to prevent it

  • Install the corporate CA into the runner trust store, not into pip flags.
  • Keep ca-certificates current in custom images.
  • Avoid --trusted-host / disabling verification as a permanent fix.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →