Python requests/urllib3 fails with ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] unable to get local issuer certificate. Python takes its CA bundle from the certifi package. Fix: pip install --upgrade certifi. On macOS — run /Applications/Python 3.x/Install Certificates.command. Corporate proxy with MITM — export REQUESTS_CA_BUNDLE=/path/to/corporate-ca.pem.
Below: details, example, related, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
# Update certifi
$ pip install --upgrade certifi
# macOS fix
$ /Applications/Python\ 3.12/Install\ Certificates.command
# Corporate MITM proxy — add CA
$ export REQUESTS_CA_BUNDLE=/etc/ssl/certs/corporate-mitm.pem
# Python code: explicit bundle
import requests, certifi
resp = requests.get('https://api.example.com', verify=certifi.where())
# Debug only (NEVER in prod):
resp = requests.get('https://api.example.com', verify=False)The ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED error in Python indicates that the SSL certificate presented by a server is not trusted. This typically occurs due to expired certificates, self-signed certificates, or missing root certificates in the certificate chain. To resolve this, ensure the server's SSL certificate is valid and trusted, and update your local certificate store if necessary.
When encountering the ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED error, it's essential to understand the various factors that can trigger this issue. Here are the most common causes:
Understanding these causes is crucial for troubleshooting and resolving the CERTIFICATE_VERIFY_FAILED error effectively.
To resolve the ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED error, you can take several practical steps. Here’s a structured approach to troubleshooting:
openssl s_client -connect example.com:443 -servername example.comReplace example.com with the domain you are trying to access. Look for the notAfter field to see the expiration date.
openssl s_client -connect example.com:443 -showcertsThis command will display the entire certificate chain. Ensure that all certificates are valid and properly linked.
sudo apt-get update && sudo apt-get install --reinstall ca-certificatesFor Red Hat-based systems, use:
sudo yum update ca-certificatesimport ssl
ssl._create_default_https_context = ssl._create_unverified_contextThis will bypass SSL verification but expose your application to security risks.
By following these steps, you can systematically identify and resolve the ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED error, ensuring secure connections to your servers.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeThe Python.org installer ships certifi, but the system trust store is separate. Running Install Certificates.command links the bundle.
Export REQUESTS_CA_BUNDLE to the corporate root CA. IT usually provides the file.
Debug only in dev. In prod = MITM vulnerability. Use httpbin.org with self-signed + a local CA in trust.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.