What Does SSL Certificate_Verified_Failed Error in Python Mean?
The “[SSL: CERTIFICATE_VERIFY_FAILED]” error occurs when your program cannot verify the SSL certificate of a website you’re trying to connect to. When encountering the “ssl certificate_verify_failed” message, Python believes the connection is not secure. The most common causes are outdated certificates, missing root certificates on your system, or incorrect SSL verification settings in your code.
Python enforces these security checks to protect against man-in-the-middle attacks and ensure data privacy. You can fix this by updating your certificates, installing required root certificates, or using the correct certificate verification settings in your requests.
Why Do the Python requests SSL Certificate_Verify_Failed Errors occur?
Python SSL certificate verification errors happen when your code tries to make HTTPS requests but cannot verify the server’s SSL certificate. This error occurs due to missing root certificates, outdated certificate authorities, or self-signed certificates on the server.
The most common cause is Python’s inability to locate the SSL certificate bundle on your system. Windows users often face this issue because Python can’t find the default certificate store.
The error message “SSL: CERTIFICATE_VERIFY_FAILED” appears when Python’s security checks fail to validate the server’s certificate, preventing secure connections from being established.
The main reasons for Python SSL Certificate_Verify_Failed errors include:
- Missing root certificates in your system’s certificate store
- Outdated or incomplete certificate authority (CA) files
- Self-signed certificates not added to trusted certificates
- Wrong system time affecting certificate validation
- Python unable to locate the default certificate path
- Expired SSL certificates on the target server
- Misconfigured SSL certificate chains
- Security software blocking certificate verification
- Different Python versions using different certificate stores
- Network proxy interference with SSL verification
- Invalid or corrupted local certificate files
- Operating system’s certificate store not properly updated
10 Best Ways to Fix CERTIFICATE_VERIFY_FAILED Error in Python
The CERTIFICATE_VERIFY_FAILED is the most common manifestation of this issue in Python. So to resolve it, you need to properly configure certificate verification on your system.
- Check Certificate Details
- Add Certificate as Trusted
- Use certifi Certificate Bundle
- Disable Certificate Verification
- Update System Root CAs
- Use Python Requests Properly
- Configure Protocols and Ciphers
- Use Client Certificate Authentication
- Check for Intermediates
- Upgrade Outdated Dependencies
1. Check Certificate Details
As a first step, check the details of the certificate causing issues. You can use the openssl command to do this:
openssl s_client -connect host:port -servername hostname -showcerts
This will print out the full certificate sent by the server and highlight any issues with it.
Check that:
- The certificate is signed by a trusted authority like Let’s Encrypt or trusted commercial CAs. Self-signed certificates will be untrusted by default.
- The certificate is still valid and not expired.
- The hostname matches what you are trying to connect to.
- The chain of trust is complete with intermediate/root certificates present.
This will help you identify the reason your system is rejecting the certificate.
2. Add Certificate as Trusted
If the certificate itself is valid but simply not trusted by your system, you can add it as a trusted certificate.
Get the certificate from the server in PEM format and add it to your trusted CA list:
# Get certificate
openssl s_client -connect host:443 -servername hostname -showcerts </dev/null 2>/dev/null| openssl x509 -outform PEM > mycert.pem
# Add to trusted CA list
sudo cp mycert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
Now your system will trust this particular self-signed certificate.
3. Use certifi Certificate Bundle
The certifi package provides Mozilla’s curated bundle of Root CAs to verify certificates. This contains certificates trusted by all major browsers and operating systems.
You can use this directly instead of relying on your system CA store:
import certifi
import ssl
context = ssl.create_default_context(cafile=certifi.where())
Pass the context when making requests to use certifi for verification.
4. Disable Certificate Verification
If you understand the risks and want to disable certificate verification entirely, you can do:
import ssl
context = ssl._create_unverified_context()
And use this context for requests.
Warning: This disables all protection provided by SSL and makes your application vulnerable to MITM attacks. Only do this in development environments, never in production!
5. Update System Root CAs
On Linux systems, the root CA certificates are stored in /etc/ssl/certs. Updating them may resolve issues:
sudo update-ca-certificates
On Mac, run:
sudo /Applications/Python 3.6/Install Certificates.command
And on Windows, use the Certificate Manager to update trusted root certificates.
Keep your system CA stores up-to-date to avoid problems verifying newly issued certificates.
6. Use Python Requests Properly
The Requests library has some convenient ways to handle certificates that avoid verification issues:
Verify Hostname
requests.get('https://example.com', verify=True)This will verify both the CA and hostname by default.
Specify CA Bundle
requests.get('https://example.com', verify='/path/to/ca/bundle')Use your own CA bundle instead of system default.
Disable Verifications
requests.get('https://example.com', verify=False)Not recommended but allows ignoring verification errors.
Using Requests properly prevents many SSL errors.
7. Configure Protocols and Ciphers
Sometimes issues arise if servers don’t support modern TLS versions or cipher suites.
You can configure the SSL protocols and ciphers supported in Python:
import ssl
ssl.PROTOCOL_TLSv1_2
ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.set_ciphers('ECDHE+AESGCM:!aNULL')
This forces Python to use TLS v1.2+ with strong encryption ciphers only.
8. Use Client Certificate Authentication
For client certificate authentication:
context = ssl.SSLContext()
context.load_cert_chain('/path/to/client/cert', '/path/to/private/key')
And use this context to present certificates to the server.
9. Check for Intermediates
If you get certificate chain errors, it means intermediate certificates are missing.
Fetch the intermediate certs in PEM format and append them to your certificate:
cat domain.crt intermediate1.pem intermediate2.pem > chained.pem
Now pass the chained PEM file for successful verification.
10. Upgrade Outdated Dependencies
Older versions of libraries like urllib3, PyOpenSSL etc. can sometimes trigger certificate issues.
Make sure you upgrade them to their latest versions to get fixes for SSL/TLS bugs:
pip install --upgrade urllib3 pyopenssl requests certify
Keep your packages upgraded to avoid known SSL/TLS issues.
Final Thoughts
Certificate verification is crucial for secure HTTPS connections. Make sure to properly validate certificates in your Python applications and avoid disabling verification without understanding the implications.
Use the latest SSL module, check certificates thoroughly, keep system CAs updated, configure protocol and ciphers appropriately, and upgrade related libraries regularly to avoid SSL errors.
With some diligent troubleshooting and SSL configuration, you can resolve CERTIFICATE_VERIFY_FAILED and other certificate problems in Python. This will enable your apps to securely leverage HTTPS connections with proper validation.
Frequently Asked Questions on Certificate Verify Failed Error in Python
Common questions and explanations about the ‘Certificate Verify Failed’ error in Python.
Why am I getting SSL certificate verify failed error in Python?
SSL certificate errors occur when Python cannot verify the security certificate of a website. This happens due to missing root certificates in Python’s installation or outdated certificate authorities. The error protects users from potential security risks.
How do I bypass SSL certificate in Python requests?
Users can add “verify=False” parameter in Python requests to bypass SSL verification. Example: requests.get(‘https://example.com’, verify=False). Note: This method reduces security and should only be used in testing environments.
How do I fix Python SSL certificate error in Windows?
Install the certifi package using “pip install certifi”. Update Python’s certificates with “pip install –upgrade certifi”. These steps will update the root certificates and resolve most SSL verification errors.
How do I install SSL certificate in Python?
Download the required SSL certificate from the website. Use the ssl.create_default_context() function to load the certificate. Add the certificate path to your Python script using context.load_verify_locations(“certificate.pem”).
Can I disable SSL verification permanently in Python?
Set the PYTHONHTTPSVERIFY=0 environment variable. Add urllib3.disable_warnings() to suppress warnings. However, this practice compromises security and is not recommended for production code.
How do I update Python certificates?
Run “pip install –upgrade pip” first. Execute “pip install –upgrade certifi” next. These commands update both pip and the certificate store to their latest versions.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
