What Does CERTIFICATE_VERIFY_FAILED Mean in Python?
The CERTIFICATE_VERIFY_FAILED error occurs when Python cannot validate an SSL/TLS certificate while making HTTPS requests. Your script fails because Python’s SSL module blocks connections to websites with certificates it considers untrusted, expired, or improperly configured.
This happens most frequently when using libraries like urllib, requests, or pip to fetch data from secure websites. The error protects you from man-in-the-middle attacks, but legitimate sites sometimes trigger false positives.
Why Does Python Reject Valid SSL Certificates?
Python relies on a certificate authority (CA) bundle to verify website identities. When this bundle becomes outdated or missing, Python flags even legitimate certificates as suspicious.
Corporate networks create another common trigger. Company firewalls often intercept HTTPS traffic using self-signed certificates that Python doesn’t recognize. Your browser accepts these because IT departments install custom root certificates, but Python installations lack these modifications.
Outdated Python installations also cause verification failures. According to Stack Overflow’s 2025 Developer Survey, certificate-related errors rank among the top five Python installation issues developers encounter.
How Do You Fix Certificate Verification Errors?
1. Update Your Certificate Bundle
Run this command to update the certifi package, which provides Python’s trusted certificate list:
pip install --upgrade certifi
/Applications/Python\ 3.x/Install\ Certificates.command
Replace 3.x with your Python version. This installs current CA certificates system-wide.
2. Install Certificates on Windows
Windows users should update both certifi and pip:
python -m pip install --upgrade pip certifi
If errors persist, download certificates manually from the official certifi GitHub repository and place them in your Python installation’s site-packages/certifi folder.
3. Configure Requests Library Properly
When using the requests library, specify the certificate bundle explicitly:
import requests
import certifi
response = requests.get('https://example.com', verify=certifi.where())This approach works reliably across operating systems. The certifi.where() function returns the path to updated certificates.
4. Set Environment Variables for System-Wide Fixes
Export certificate paths as environment variables to fix verification across all Python scripts:
Linux/macOS:
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Windows (Command Prompt):
set REQUESTS_CA_BUNDLE=C:\path\to\certifi\cacert.pem set SSL_CERT_FILE=C:\path\to\certifi\cacert.pem
Find the certifi path by running python -m certifi in your terminal.
Should You Disable SSL Verification?
Disabling verification removes encryption security and exposes your application to attacks. Only consider this for isolated development environments that never connect to production systems.
If you absolutely must disable verification temporarily:
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get('https://example.com', verify=False)Never deploy code with verify=False to production servers. As of January 2025, data breaches cost companies an average of $4.45 million according to IBM’s Cost of a Data Breach Report, with SSL misconfigurations contributing to many incidents.
What Causes Certificate Errors in Corporate Networks?
Corporate proxy servers decrypt and re-encrypt HTTPS traffic using company-issued certificates. Python doesn’t trust these certificates by default, triggering verification failures.
Request your IT department’s root certificate (usually a .crt or .pem file). Add it to Python’s certificate store:
import requests
response = requests.get(
'https://internal-site.company.com',
verify='/path/to/company-root-cert.pem'
)Some organizations provide certificate bundles combining their root certificate with standard CA certificates. Use these bundles instead of disabling verification entirely.
How Do You Fix Certificate Errors When Installing Packages?
Pip installations fail with certificate errors when PyPI’s SSL certificate can’t be verified. Update pip’s certificate handling:
pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org package-name
For permanent solutions, configure pip to use updated certificates:
pip config set global.cert /path/to/certifi/cacert.pem
|
Solution |
Security Level |
Use Case |
|
Update certifi |
High |
First attempt for all environments |
|
Specify certificate path |
High |
Persistent errors with valid certificates |
|
Environment variables |
High |
System-wide configuration needed |
|
Trust specific host |
Medium |
Temporary package installation |
|
Disable verification |
Low |
Never use in production |
Can Antivirus Software Cause SSL Errors?
Antivirus programs with HTTPS scanning capabilities inject their own certificates into secure connections. Python rejects these modified certificates because they don’t match the website’s original certificate.
Temporarily disable HTTPS scanning in your antivirus settings to test if this causes your errors. If disabling antivirus resolves the issue, add Python to your antivirus exclusion list rather than keeping HTTPS scanning off.
Popular antivirus software like Kaspersky and AVG require certificate installations for Python compatibility. Check your antivirus documentation for Python-specific certificate export instructions.
What’s the Best Long-Term Solution?
Keeping Python and packages current prevents most certificate verification problems. Set up automatic updates for critical security packages:
pip install --upgrade pip setuptools certifi requests urllib3
Document your certificate configuration in project README files. Teams working across different networks need clear instructions for handling corporate certificates without compromising security.
Monitor certificate expiration dates for internal services. Python’s ssl module provides built-in functions to check certificate validity:
import ssl
import socket
cert = ssl.get_server_certificate(('example.com', 443))
x509 = ssl.PEM_cert_to_DER_cert(cert)Frequently Asked Questions on Certificate Verify Failed Error in Python
Common questions and explanations about the ‘Certificate Verify Failed’ error in Python.
Can I use self-signed certificates with Python requests?
Yes, you can use self-signed certificates by specifying the certificate file path in the verify parameter: requests.get(url, verify=’/path/to/cert.pem’). This tells Python to trust your specific certificate without disabling verification entirely. Self-signed certificates work well for internal tools and development environments where you control the certificate authority.
Does updating Python fix SSL certificate errors?
Updating Python often resolves certificate errors because newer versions include updated CA bundles and improved SSL handling. Python 3.10+ comes with better certificate management and automatic certifi integration. However, you may still need to run the post-installation certificate script on macOS or manually update certifi on older systems.
What’s the difference between SSL and TLS in Python errors?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) refer to the same encryption protocols in Python, with TLS being the modern version. Python’s error messages use “SSL” for historical reasons, but the actual protocol is TLS 1.2 or 1.3. Both terms appear interchangeably in error messages and documentation.
How do I fix certificate errors in Docker containers?
Install CA certificates in your Dockerfile using RUN apt-get update && apt-get install -y ca-certificates for Debian/Ubuntu images. Then install Python’s certifi package and set the REQUESTS_CA_BUNDLE environment variable to point to /etc/ssl/certs/ca-certificates.crt. This ensures your containerized Python applications can verify SSL certificates correctly.
Why does pip work in browser but fail with certificate errors?
Browsers maintain their own certificate stores separate from Python’s certificate bundle. Your browser automatically updates certificates and may have corporate root certificates installed by IT policies. Python’s pip uses the certifi package which requires manual updates and doesn’t inherit browser certificate configurations.
Can expired SSL certificates cause Python errors even if the website loads?
Yes, browsers often cache valid certificates or show warnings you can bypass, while Python strictly enforces certificate validity. Websites with expired certificates will load in browsers with manual confirmation but immediately fail in Python scripts. Check certificate expiration dates using openssl s_client -connect domain.com:443 -servername domain.com to verify validity before troubleshooting Python code.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
