pip "SSLError: CERTIFICATE_VERIFY_FAILED" in CI
pip established a TLS connection but could not validate the server certificate chain against the runner's CA bundle. The handshake aborts before any package downloads.
What this error means
pip fails with "Could not fetch URL ...: There was a problem confirming the ssl certificate: ... CERTIFICATE_VERIFY_FAILED". It often hits a corporate mirror or proxy that injects its own certificate.
Could not fetch URL https://pypi.org/simple/requests/: There was a problem confirming
the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries
exceeded with url: /simple/requests/ (Caused by SSLError(
SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed')))Common causes
A proxy or mirror presents an untrusted certificate
A corporate TLS-inspecting proxy or self-hosted mirror serves a certificate signed by a CA not in the runner's trust store.
An outdated or missing CA bundle on the runner
A slim image with stale ca-certificates cannot validate modern certificate chains.
How to fix it
Trust the proxy CA properly
Point pip and requests at the corporate CA bundle instead of disabling verification.
export PIP_CERT=/etc/ssl/certs/corp-ca.pem
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corp-ca.pem
pip install -r requirements.txtUpdate the runner CA store
Refresh ca-certificates so the chain validates without ad hoc bundles.
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificatesHow to prevent it
- Install the corporate CA into the runner trust store, not into pip flags.
- Keep
ca-certificatescurrent in custom images. - Avoid
--trusted-host/ disabling verification as a permanent fix.