Quick Summary
The “CERTIFICATE_VERIFY_FAILED” error in Python occurs when your program fails to verify the SSL certificate of a website, often due to missing or outdated root certificates. To fix this, update your system’s trusted certificates, use the certifi package for up-to-date CA bundles, or correctly configure SSL verification settings in your Python code.
What Does SSL Certificate_Verified_Failed Error in Python Mean?
The “[SSL: CERTIFICATE_VERIFY_FAILED]” error occurs when your program cannot verify the SSL certificate of a website you’re trying to connect to. When encountering the “ssl certificate_verify_failed” message, Python believes the connection is not secure. The most common causes are outdated certificates, missing root certificates on your system, or incorrect SSL verification settings in your code.
Python enforces these security checks to protect against man-in-the-middle attacks and ensure data privacy. You can fix this by updating your certificates, installing required root certificates, or using the correct certificate verification settings in your requests.
Why Do the Python requests SSL Certificate_Verify_Failed Errors occur?
Python SSL certificate verification errors happen when your code tries to make HTTPS requests but cannot verify the server’s SSL certificate. This error occurs due to missing root certificates, outdated certificate authorities, or self-signed certificates on the server.
Resolving these certificate verification issues requires proper configuration of your Python environment, a challenge that can be efficiently addressed with Python software development services by SoftTeco. Windows users often face this issue because Python can’t find the default certificate store.
The error message “SSL: CERTIFICATE_VERIFY_FAILED” appears when Python’s security checks fail to validate the server’s certificate, preventing secure connections from being established.
The main reasons for Python SSL Certificate_Verify_Failed errors include:
- Missing root certificates in your system’s certificate store
- Outdated or incomplete certificate authority (CA) files
- Self-signed certificates not added to trusted certificates
- Wrong system time affecting certificate validation
- Python unable to locate the default certificate path
- Expired SSL certificates on the target server
- Misconfigured SSL certificate chains
- Security software blocking certificate verification
- Different Python versions using different certificate stores
- Network proxy interference with SSL verification
- Invalid or corrupted local certificate files
- Operating system’s certificate store not properly updated
10 Best Ways to Fix CERTIFICATE_VERIFY_FAILED Error in Python
The CERTIFICATE_VERIFY_FAILED is the most common manifestation of this issue in Python. So to resolve it, you need to properly configure certificate verification on your system.
- Check Certificate Details
- Add Certificate as Trusted
- Use certifi Certificate Bundle
- Disable Certificate Verification
- Update System Root CAs
- Use Python Requests Properly
- Configure Protocols and Ciphers
- Use Client Certificate Authentication
- Check for Intermediates
- Upgrade Outdated Dependencies
1. Check Certificate Details
As a first step, check the details of the certificate causing issues. You can use the openssl command to do this:
openssl s_client -connect host:port -servername hostname -showcerts
This will print out the full certificate sent by the server and highlight any issues with it.
Check that:
- The certificate is signed by a trusted authority like Let’s Encrypt or trusted commercial CAs. Self-signed certificates will be untrusted by default.
- The certificate is still valid and not expired.
- The hostname matches what you are trying to connect to.
- The chain of trust is complete with intermediate/root certificates present.
This will help you identify the reason your system is rejecting the certificate.
2. Add Certificate as Trusted
If the certificate itself is valid but simply not trusted by your system, you can add it as a trusted certificate.
Get the certificate from the server in PEM format and add it to your trusted CA list:
# Get certificate
openssl s_client -connect host:443 -servername hostname -showcerts </dev/null 2>/dev/null| openssl x509 -outform PEM > mycert.pem
# Add to trusted CA list
sudo cp mycert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates
Now your system will trust this particular self-signed certificate.
3. Use certifi Certificate Bundle
The certifi package provides Mozilla’s curated bundle of Root CAs to verify certificates. This contains certificates trusted by all major browsers and operating systems.
You can use this directly instead of relying on your system CA store:
import certifi
import ssl
context = ssl.create_default_context(cafile=certifi.where())
Pass the context when making requests to use certifi for verification.
4. Disable Certificate Verification
If you understand the risks and want to disable certificate verification entirely, you can do:
import ssl
context = ssl._create_unverified_context()
And use this context for requests.
Warning: This disables all protection provided by SSL and makes your application vulnerable to MITM attacks. Only do this in development environments, never in production!
5. Update System Root CAs
On Linux systems, the root CA certificates are stored in /etc/ssl/certs. Updating them may resolve issues:
sudo update-ca-certificates
On Mac, run:
sudo /Applications/Python 3.6/Install Certificates.command
And on Windows, use the Certificate Manager to update trusted root certificates.
Keep your system CA stores up-to-date to avoid problems verifying newly issued certificates.
6. Use Python Requests Properly
The Requests library has some convenient ways to handle certificates that avoid verification issues:
Verify Hostname
requests.get('https://example.com', verify=True)This will verify both the CA and hostname by default.
Specify CA Bundle
requests.get('https://example.com', verify='/path/to/ca/bundle')Use your own CA bundle instead of system default.
Disable Verifications
requests.get('https://example.com', verify=False)Not recommended but allows ignoring verification errors.
Using Requests properly prevents many SSL errors.
7. Configure Protocols and Ciphers
Sometimes issues arise if servers don’t support modern TLS versions or cipher suites.
You can configure the SSL protocols and ciphers supported in Python:
import ssl
ssl.PROTOCOL_TLSv1_2
ssl.OP_NO_SSLv3
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
context.set_ciphers('ECDHE+AESGCM:!aNULL')
This forces Python to use TLS v1.2+ with strong encryption ciphers only.
8. Use Client Certificate Authentication
For client certificate authentication:
context = ssl.SSLContext()
context.load_cert_chain('/path/to/client/cert', '/path/to/private/key')
And use this context to present certificates to the server.
9. Check for Intermediates
If you get certificate chain errors, it means intermediate certificates are missing.
Fetch the intermediate certs in PEM format and append them to your certificate:
cat domain.crt intermediate1.pem intermediate2.pem > chained.pem
Now pass the chained PEM file for successful verification.
10. Upgrade Outdated Dependencies
Older versions of libraries like urllib3, PyOpenSSL etc. can sometimes trigger certificate issues.
Make sure you upgrade them to their latest versions to get fixes for SSL/TLS bugs:
pip install --upgrade urllib3 pyopenssl requests certify
Keep your packages upgraded to avoid known SSL/TLS issues.
Final Thoughts
Certificate verification is crucial for secure HTTPS connections. Make sure to properly validate certificates in your Python applications and avoid disabling verification without understanding the implications.
Use the latest SSL module, check certificates thoroughly, keep system CAs updated, configure protocol and ciphers appropriately, and upgrade related libraries regularly to avoid SSL errors.
With some diligent troubleshooting and SSL configuration, you can resolve CERTIFICATE_VERIFY_FAILED and other certificate problems in Python. This will enable your apps to securely leverage HTTPS connections with proper validation.
Frequently Asked Questions on Certificate Verify Failed Error in Python
Common questions and explanations about the ‘Certificate Verify Failed’ error in Python.
Why does my Python script suddenly say “certificate verify failed” when it worked fine last week?
This error often occurs because SSL certificates on the server may have been renewed, replaced, or expired since your script last ran. Additionally, updates to your system’s root certificate store, Python environment, or related libraries can change trust settings, causing verification failures where none existed before. Network changes or proxy configurations could also be responsible.
What causes the SSL certificate verify failed error in Python after updating certifi to version 2025.4.26?
While the certifi package maintains a curated list of trusted root certificates, updates may sometimes introduce compatibility issues or remove previously trusted certificates, leading to validation errors. It may take time for ecosystem tools and environments to fully support a new release, so temporary errors may happen until all components synchronize.
How do I fix certificate verify failed error on Mac when using Python’s urllib or requests library?
Mac users should run the Install Certificates.command file included with their Python installation. This script updates the macOS system certificate bundle used by Python, ensuring that Python’s SSL verification uses up-to-date trusted roots necessary for HTTPS connections via urllib or requests.
Why am I getting SSL certificate errors in Python on Windows 10 but not on my Linux machine?
Windows and Linux handle system root certificates differently. Python on Windows may not use the OS certificate store as seamlessly as on Linux, requiring manual updates or the use of external packages like certifi. Differences in installed security software or corporate network settings may also affect certificate validations uniquely on each OS.
My Python code broke after our company added Zscaler VPN – how do I fix the SSL certificate error?
Corporate VPN or proxy services like Zscaler often intercept SSL traffic using their own certificates for inspection, which Python won’t trust by default. To fix this, obtain your company’s root certificate and add it to Python’s trusted certificates bundle or configure your HTTP client libraries to explicitly trust this certificate.
Is it safe to use verify=False in Python requests to bypass SSL certificate errors?
Disabling SSL verification (verify=False) bypasses all certificate checks, which leaves applications vulnerable to man-in-the-middle attacks and data interception. This is acceptable only during development or debugging in controlled environments but should never be used in production or with sensitive data.
What’s the correct way to update Python SSL certificates without disabling security?
The safest approach is to update your system’s root CA certificates regularly using OS package managers or tools, ensure Python libraries like certifi are up to date, and use Python’s SSL modules with proper verification contexts to maintain secure SSL communication.
Why can’t I install packages with pip because of certificate verify failed error?
Pip requires a secure SSL connection to download packages. If the underlying certificate store is outdated or misconfigured, pip cannot verify PyPI’s certificates, causing installation failures. Updating certifi, Python, and related SSL libraries usually resolves these issues.
How do I fix SSL certificate errors in PyCharm when downloading NLTK data or other packages?
Verify that PyCharm uses the correct Python interpreter configured with updated certificates and libraries. Updating certifi in the interpreter’s environment, adjusting proxy settings, or configuring SSL trust stores can resolve certificate validation errors in package downloads and data fetching.
How do I add my company’s SSL certificate to Python’s trusted certificates bundle?
Export your company’s root or intermediate certificates as PEM files. Append these files to the certifi bundle or your system’s trusted certificates directory, then configure your Python SSL context (e.g., via ssl.create_default_context) to include these certificates during validation.
Should I upgrade or downgrade certifi to fix Python SSL certificate verification errors?
Upgrading certifi is generally recommended to get the latest trusted certificates and bug fixes. However, in rare cases, a newer version might cause temporary issues; downgrading can be a temporary workaround until an update or fix is released.
What’s better for fixing Python SSL errors: updating certifi or installing pip-system-certs?
Using certifi provides a curated, cross-platform CA bundle independent of the OS. Installing pip-system-certs enables using the OS’s native certificate store, which can be more compatible on some platforms. Choose based on your system environment and use case.
Why does my OpenAI API call fail with “self-signed certificate in chain” error in Python?
This error means the server’s certificate chain includes a self-signed certificate that isn’t trusted by your environment. You can fix it by adding this certificate to trusted stores or disabling verification temporarily for testing (not recommended in production).
How do I set SSL_CERT_FILE environment variable to fix certificate errors in Python?
Set SSL_CERT_FILE to the absolute path of a valid certificate bundle file (such as the certifi CA bundle) so Python explicitly knows which certificates to trust when verifying SSL connections.
Where is the Install Certificates.command file on my Mac after installing Python?
You will find it in the Python application folder typically under /Applications/Python 3.x/Install Certificates.command. Running this updates your macOS trusted certificates used by Python.
Why does tensorflow or keras fail to download datasets with certificate verify failed error?
These libraries use Python’s SSL environment. Errors usually occur if certificates are outdated or validation is misconfigured. Updating certifi and SSL-dependent libraries or running the macOS install certificates script can resolve these issues.
How do I use ssl.create_default_context with certifi to properly verify SSL certificates?
Create an SSL context in Python using ssl.create_default_context(cafile=certifi.where()) and use this context for your HTTPS clients. This explicitly instructs Python to use the certifi CA bundle for certificate verification.
Why does my Python script sometimes work and sometimes throw SSL certificate errors?
Intermittent errors can be caused by network instability, proxy interference, load balancing with inconsistent certificates, or temporary server-side certificate changes which affect SSL verification unpredictably.
What’s the difference between disabling SSL verification and adding custom certificates in Python?
Disabling SSL verification completely turns off trust checks, making connections vulnerable. Adding custom certificates extends trust to specific certificates securely, preserving the protection SSL provides.
How do I run update-ca-certificates to fix Python SSL errors on Ubuntu or Debian?
Run the terminal command sudo update-ca-certificates to refresh the system root certificates. This synchronizes your trusted CA store with latest authorities needed by Python and other programs.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
