Skip to content
Latchkey

requests "SSLError: CERTIFICATE_VERIFY_FAILED" - REQUESTS_CA_BUNDLE & certifi

requests could not verify the server’s TLS certificate. It validates against certifi’s bundle by default, so a corporate proxy’s root CA or a private endpoint’s certificate isn’t trusted unless you point requests at the right bundle.

What this error means

Code using requests (directly or via an SDK) fails with requests.exceptions.SSLError: ... CERTIFICATE_VERIFY_FAILED only in CI or behind a corporate network. The same call works on a developer machine whose system trust store includes the proxy CA.

Python traceback
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.example.com', port=443):
Max retries exceeded with url: /v1/data (Caused by SSLError(SSLCertVerificationError(
1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1006)')))

Common causes

requests uses certifi, not the system store

requests ships its own CA bundle (certifi) and ignores the OS trust store. A proxy CA added to the system store still won’t be trusted by requests.

TLS-intercepting proxy or private endpoint

A corporate proxy re-signs HTTPS with its own root, or you call a private endpoint with a custom CA. Neither is in certifi, so verification fails.

How to fix it

Point requests at the corporate CA bundle

Set REQUESTS_CA_BUNDLE (honored by requests) to a PEM that includes the proxy/private root.

Terminal
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corporate-root.pem
# urllib3/curl also honor:
export SSL_CERT_FILE=/etc/ssl/certs/corporate-root.pem

Refresh certifi for public endpoints

If the failure is against a public host, a stale certifi may be missing a newer intermediate. Upgrade it.

Terminal
pip install --upgrade certifi
python -c "import certifi, requests; print(certifi.where())"

Pass verify= for a one-off call

You can point a single request at a CA file via verify.

Python
requests.get(url, verify="/etc/ssl/certs/corporate-root.pem")

How to prevent it

  • Provide the corporate root CA via REQUESTS_CA_BUNDLE/SSL_CERT_FILE in CI.
  • Keep certifi current for public TLS endpoints.
  • Avoid verify=False; trust the correct CA instead.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →