Introduction

Python certificate verify failed means the Python TLS client reached the remote endpoint but rejected its certificate chain. The issue is often trust-related: missing CA bundles, corporate TLS interception, stale certifi, or a server that does not send the full intermediate chain.

Symptoms

  • Python HTTPS requests fail with certificate verify errors
  • Browsers may trust the same endpoint while Python does not
  • The problem is worse in containers, CI, or corporate networks
  • The error appears after certificate rotation or environment rebuilds

Common Causes

  • The Python runtime cannot find a valid CA bundle
  • certifi or system CA packages are outdated
  • A proxy or TLS inspection layer presents an untrusted certificate
  • The remote server does not send a complete certificate chain

Step-by-Step Fix

  1. 1.Read the exact certificate verify error
  2. 2.Determine whether the problem is unknown CA, hostname mismatch, or chain failure.
bash
python -c "import requests; print(requests.get('https://example.com', timeout=10).status_code)"
  1. 1.Check which CA bundle Python is using
  2. 2.certifi, requests, and system OpenSSL paths can differ by environment.
bash
python -c "import ssl, certifi; print(ssl.get_default_verify_paths()); print(certifi.where())"
  1. 1.Inspect the live server chain
  2. 2.Use OpenSSL or curl to confirm what the remote endpoint actually presents.
bash
openssl s_client -connect example.com:443 -servername example.com -showcerts
curl -Iv https://example.com
  1. 1.Retest after updating trust material
  2. 2.If trust is the issue, update the right CA path rather than disabling verification.
bash
python -m pip install --upgrade certifi

Prevention

  • Keep CA bundles and certifi current in long-lived environments
  • Test Python TLS clients after proxy or certificate changes
  • Avoid disabling verification except for temporary debugging
  • Document the trust path used by each Python runtime