You’re making an HTTP request in Python and suddenly:

ssl.SSLCertVerificationError:[SSL:CERTIFICATE_VERIFY_FAILED]certificateverifyfailed:unabletogetlocalissuercertificate

Or with requests:

rM'ea[qxSuSerLse:ttsrC.iEeeRxsTcIeeFpxItcCieAoeTndEse_.dVSESwRLiIEtFrhYr_ouFrrA:lI:LHET/DTd]PaStcCaeorn(tnCieafcuitscieaodtnePboyvoelSr(SihLfoEysrtrf=oa'ria(lpSeiSd.L:eCxeuarnmtapVblelere.icftoiomc'ag,teitpoonlrEotrc=ra4ol4r3(i)1s:,suercertificate')))

This error means Python can’t verify the SSL certificate of the server you’re connecting to. Here’s why it happens and how to actually fix it (not just disable verification).

Why This Happens

Python uses a certificate bundle to verify SSL certificates. The error occurs when:

  1. Your system’s CA certificates are outdated or missing
  2. You’re on macOS and haven’t installed certificates (common after Python install)
  3. You’re in a corporate environment with a proxy/firewall that intercepts HTTPS
  4. The server has a self-signed or invalid certificate
  5. You’re in a Docker container without CA certificates installed

The Wrong Fix (Don’t Do This in Production)

You’ll see this everywhere online:

1
2
3

# DON'T do this in production
import requests
requests.get('https://api.example.com', verify=False)

Or:

1
2
3

# Also bad
import ssl
ssl._create_default_https_context = ssl._create_unverified_context

This disables SSL verification entirely, making you vulnerable to man-in-the-middle attacks. Only use this for local development with self-signed certs.

The Right Fixes

Fix 1: Update CA Certificates (Linux)

Most common on minimal Docker images or fresh Linux installs:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Debian/Ubuntu
apt-get update && apt-get install -y ca-certificates

# Alpine
apk add --no-cache ca-certificates

# RHEL/CentOS/Fedora
dnf install ca-certificates
# or
yum install ca-certificates

Then update the certificate store:

1

update-ca-certificates

Fix 2: Install certifi (Python Package)

The certifi package provides Mozilla’s CA bundle:

1

pip install certifi

Then use it explicitly:

1
2
3
4

import requests
import certifi

response = requests.get('https://api.example.com', verify=certifi.where())

For urllib:

1
2
3
4
5
6

import urllib.request
import ssl
import certifi

context = ssl.create_default_context(cafile=certifi.where())
response = urllib.request.urlopen('https://api.example.com', context=context)

Fix 3: macOS Python Certificate Fix

If you installed Python via python.org installer on macOS, run:

1

/Applications/Python\ 3.x/Install\ Certificates.command

Or manually:

1
2

pip install --upgrade certifi
open /Applications/Python\ 3.*/Install\ Certificates.command

This installs certifi and symlinks it to the system certificate store.

Fix 4: Corporate Proxy / Custom CA

If your company uses a proxy that re-signs HTTPS traffic, you need to add their CA certificate:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Get your corporate CA cert (ask IT or export from browser)
# Add it to the system store

# Linux
cp corporate-ca.crt /usr/local/share/ca-certificates/
update-ca-certificates

# Then tell Python about it
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Or in Python:

1
2
3
4
5

import os
os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/corporate-ca-bundle.crt'

import requests
response = requests.get('https://internal-api.company.com')

Fix 5: Docker Container Fix

Add this to your Dockerfile:

1
2
3
4
5
6
7
8
9

FROM python:3.11-slim

# Install CA certificates
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Install certifi as backup
RUN pip install --no-cache-dir certifi

For Alpine-based images:

1
2
3

FROM python:3.11-alpine

RUN apk add --no-cache ca-certificates

Debugging SSL Issues

Check what certificate store Python is using:

1
2

import ssl
print(ssl.get_default_verify_paths())

Verify a specific certificate chain:

1

openssl s_client -connect api.example.com:443 -showcerts

Check if certifi is installed and where:

1
2

import certifi
print(certifi.where())

Quick Reference

SituationFix
Fresh Linux/Dockerapt-get install ca-certificates
macOS Python installRun Install Certificates.command
Corporate proxyAdd company CA to system store
Need portable solutionUse certifi package
Self-signed cert (dev only)verify=False or add cert to bundle

Summary

The CERTIFICATE_VERIFY_FAILED error almost always means your Python environment is missing CA certificates. Install ca-certificates at the system level, use the certifi package, or add your corporate CA to the trust store. Avoid disabling verification in production—it’s a security risk that will come back to bite you.