requests "SSLError: CERTIFICATE_VERIFY_FAILED" - REQUESTS_CA_BUNDLE & certifi
requests could not verify the server’s TLS certificate. It validates against certifi’s bundle by default, so a corporate proxy’s root CA or a private endpoint’s certificate isn’t trusted unless you point requests at the right bundle.
What this error means
Code using requests (directly or via an SDK) fails with requests.exceptions.SSLError: ... CERTIFICATE_VERIFY_FAILED only in CI or behind a corporate network. The same call works on a developer machine whose system trust store includes the proxy CA.
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com', port=443):
Max retries exceeded with url: /v1/data (Caused by SSLError(SSLCertVerificationError(
1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1006)')))Common causes
requests uses certifi, not the system store
requests ships its own CA bundle (certifi) and ignores the OS trust store. A proxy CA added to the system store still won’t be trusted by requests.
TLS-intercepting proxy or private endpoint
A corporate proxy re-signs HTTPS with its own root, or you call a private endpoint with a custom CA. Neither is in certifi, so verification fails.
How to fix it
Point requests at the corporate CA bundle
Set REQUESTS_CA_BUNDLE (honored by requests) to a PEM that includes the proxy/private root.
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corporate-root.pem
# urllib3/curl also honor:
export SSL_CERT_FILE=/etc/ssl/certs/corporate-root.pemRefresh certifi for public endpoints
If the failure is against a public host, a stale certifi may be missing a newer intermediate. Upgrade it.
pip install --upgrade certifi
python -c "import certifi, requests; print(certifi.where())"Pass verify= for a one-off call
You can point a single request at a CA file via verify.
requests.get(url, verify="/etc/ssl/certs/corporate-root.pem")How to prevent it
- Provide the corporate root CA via
REQUESTS_CA_BUNDLE/SSL_CERT_FILEin CI. - Keep
certificurrent for public TLS endpoints. - Avoid
verify=False; trust the correct CA instead.