Skip to content
Latchkey

requests "SSLCertVerificationError" - Fix CERTIFICATE_VERIFY_FAILED in CI

A requests call could not verify the server’s TLS certificate. Either the runner lacks CA certificates, certifi is stale, or a corporate proxy is presenting its own root the runner does not trust.

What this error means

An HTTPS request via requests (or anything on urllib3) raises requests.exceptions.SSLError: ... [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate. It passes on a developer machine but fails on a bare CI image - an environment trust-store issue, not a code bug.

Python traceback
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com',
port=443): Max retries exceeded with url: /v1/data (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

Common causes

Missing or stale CA certificates

A minimal image lacks ca-certificates, or certifi (the CA bundle requests uses) is outdated, so the issuing CA is not trusted.

A TLS-intercepting proxy

A corporate proxy re-signs HTTPS with its own root CA. Unless that root is in the trust store, every verification fails.

How to fix it

Install CA certificates and refresh certifi

Terminal
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificates
pip install --upgrade certifi

Trust the proxy root via REQUESTS_CA_BUNDLE

Point requests at the proxy’s CA bundle rather than disabling verification.

Terminal
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corporate-root.pem
# or in code, per call:
requests.get(url, verify="/etc/ssl/certs/corporate-root.pem")

How to prevent it

  • Use a runner image with ca-certificates preinstalled.
  • Provide the corporate root CA via REQUESTS_CA_BUNDLE, not verify=False.
  • Keep certifi reasonably current.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →