Introduction

Python's requests library and urllib verify SSL certificates by default. When the certificate chain cannot be validated -- due to missing CA certificates, corporate proxies, or expired certificates -- the request fails with "SSLError: certificate verify failed".

This error is especially common on macOS with Python 3.6+, corporate environments with TLS intercepting proxies, and minimal Docker containers without CA certificates installed.

Symptoms

  • requests.get raises "SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed"
  • Error message includes "unable to get local issuer certificate"
  • Same URL works in browser but fails in Python code

Common Causes

  • Missing or outdated CA certificate bundle on the system
  • Corporate proxy intercepting and re-signing TLS traffic
  • Python installed from python.org on macOS does not install certificates by default

Step-by-Step Fix

  1. 1.Install certificates on macOS: Run the certificate installation script bundled with Python.
  2. 2.```bash
  3. 3.# For Python installed from python.org on macOS:
  4. 4.open /Applications/Python\ 3.11/Install\ Certificates.command

# Or run manually: python3 -m pip install --upgrade certifi python3 -c "import certifi; print(certifi.where())" ```

  1. 1.Point requests to the correct CA bundle: Specify the CA bundle path explicitly.
  2. 2.```python
  3. 3.import os
  4. 4.import requests

# Use certifi's CA bundle os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/ca-bundle.crt'

# Or pass verify parameter directly: response = requests.get('https://api.example.com', verify='/path/to/ca-bundle.crt')

# Use certifi bundle: import certifi response = requests.get('https://api.example.com', verify=certifi.where()) ```

  1. 1.Configure corporate proxy certificate: Add the corporate CA to Python's trust store.
  2. 2.```bash
  3. 3.# Find the certifi CA bundle location:
  4. 4.import certifi
  5. 5.print(certifi.where()) # e.g., /usr/local/lib/python3.11/site-packages/certifi/cacert.pem

# Append your corporate CA to the bundle: cat corporate-ca.crt >> $(python -c 'import certifi; print(certifi.where())') ```

  1. 1.Install CA certificates in Docker containers: Ensure base images include CA certificates.
  2. 2.```dockerfile
  3. 3.# In your Dockerfile:
  4. 4.FROM python:3.11-slim
  5. 5.RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*

# For Alpine-based images: FROM python:3.11-alpine RUN apk add --no-cache ca-certificates ```

Prevention

  • Always keep certifi package updated: pip install -U certifi
  • Include ca-certificates in Docker base images
  • Never use verify=False in production -- it exposes you to man-in-the-middle attacks
  • Test SSL connectivity as part of your CI/CD pipeline