requests "SSLCertVerificationError" - Fix CERTIFICATE_VERIFY_FAILED in CI
A requests call could not verify the server’s TLS certificate. Either the runner lacks CA certificates, certifi is stale, or a corporate proxy is presenting its own root the runner does not trust.
What this error means
An HTTPS request via requests (or anything on urllib3) raises requests.exceptions.SSLError: ... [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate. It passes on a developer machine but fails on a bare CI image - an environment trust-store issue, not a code bug.
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com',
port=443): Max retries exceeded with url: /v1/data (Caused by
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))Common causes
Missing or stale CA certificates
A minimal image lacks ca-certificates, or certifi (the CA bundle requests uses) is outdated, so the issuing CA is not trusted.
A TLS-intercepting proxy
A corporate proxy re-signs HTTPS with its own root CA. Unless that root is in the trust store, every verification fails.
How to fix it
Install CA certificates and refresh certifi
# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates
update-ca-certificates
pip install --upgrade certifiTrust the proxy root via REQUESTS_CA_BUNDLE
Point requests at the proxy’s CA bundle rather than disabling verification.
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corporate-root.pem
# or in code, per call:
requests.get(url, verify="/etc/ssl/certs/corporate-root.pem")How to prevent it
- Use a runner image with
ca-certificatespreinstalled. - Provide the corporate root CA via
REQUESTS_CA_BUNDLE, notverify=False. - Keep
certifireasonably current.