Whether you’re building a simple automation script or integrating with third-party APIs, encountering the “SSL: CERTIFICATE_VERIFY_FAILED” error in Python can bring your development to a halt. This issue is especially common when working with Python’s requests
library, and while it may look intimidating at first, it usually stems from a few underlying causes that are relatively easy to fix.
In this post, you'll learn why this error occurs, how to resolve it securely, and when (if ever) it's okay to bypass SSL verification temporarily.
What Is the “SSL: CERTIFICATE_VERIFY_FAILED” Error?
This error appears when your Python application fails to verify the SSL certificate of a website you’re trying to communicate with using HTTPS. It’s Python’s way of protecting your system from untrusted connections.
This often shows up in code that looks like this:
import requests
response = requests.get("https://example.com")
And the error message might look something like:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
Before you get tempted to copy-paste a workaround, let’s take a deeper look at why this happens and what you should do.
Common Causes of SSL Verification Failure in Python
There are several potential triggers for this error:
1. Outdated or Missing CA Certificates
Python relies on CA bundles to verify SSL certificates. If these files are outdated or missing, your application won’t trust even valid certificates.
2. Self-Signed Certificates
If the server uses a self-signed certificate, Python won’t recognize it as trustworthy unless you manually configure your system to trust it.
3. Corporate Proxies and Firewalls
Some enterprise environments perform SSL inspection using internal certificates. These often trigger verification errors because Python doesn’t recognize the internal CA.
4. Old Python or OpenSSL Versions
Using an outdated version of Python or OpenSSL can cause compatibility issues with newer TLS configurations.
Step-by-Step Solutions to Fix the Error
Let’s walk through the most effective ways to fix this error in a safe, scalable, and security-conscious way.
✅ 1. Upgrade the certifi
Package
Python’s requests
library depends on the certifi
package to provide a valid set of root CA certificates. You should make sure this package is up to date:
pip install --upgrade certifi
Once updated, you can explicitly use the correct certificate path in your script:
import requests
import certifi
response = requests.get("https://example.com", verify=certifi.where())
print(response.status_code)
This is often the most straightforward and secure way to fix the issue.
✅ 2. Install the Website’s Certificate Manually
In certain cases, especially with internal services or self-signed certificates, you'll need to manually trust the server’s certificate:
Download the site’s certificate (usually a
.pem
file).Save it locally.
Modify your request to point to the certificate:
response = requests.get("https://example.com", verify="/path/to/certificate.pem")
You should only use this method if you trust the source of the certificate and understand the implications.
✅ 3. Use Custom Certificate Authorities
If you're in a corporate environment that uses its own CA, export the root certificate and configure Python to use it:
export REQUESTS_CA_BUNDLE=/path/to/custom-ca.pem
This environment variable ensures that all requests made using requests
use your trusted root certificate.
✅ 4. Upgrade Your Python Environment
Outdated versions of Python may ship with obsolete CA certificates. You should upgrade Python to the latest official version, especially if you're using anything older than 3.8.
Additionally, ensure your system OpenSSL libraries are current.
🚧 5. Ignore SSL Temporarily (Development Only)
If you’re in a local environment and need a quick workaround for testing, you can disable certificate verification. For example, to bypass certificate validation entirely, you can use the ignore SSL option with curl (e.g., curl --insecure https://example.com
).
Similarly, in Python:
response = requests.get("https://example.com", verify=False)
⚠️ Important: This is not secure and should never be used in production. You risk exposing data to man-in-the-middle attacks.
You may also want to suppress the related warnings:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
But again—this is only recommended for development or debugging purposes.
Best Practices for Preventing Future SSL Issues
You should follow these guidelines to keep your environment SSL-error free:
Always update
certifi
and your dependencies regularly.Use the latest version of Python and ensure OpenSSL is current.
Avoid disabling SSL verification unless you're working in a controlled, local environment.
Add trusted certificates manually if working with internal services or proxies.
These practices are especially crucial for developers building financial or accounting platforms where data privacy and compliance are non-negotiable.
Additional Tools That Help
SSL Labs Test: To verify the quality of your server’s certificate.
certbot: For generating free SSL certificates using Let’s Encrypt.
postman.com: Useful for quickly testing APIs with different SSL configurations.
When You Shouldn’t Ignore the Warning
SSL verification exists to protect you and your users from attacks. If you choose to disable it, you expose sensitive data to significant risk. It's much safer to fix the underlying certificate problem than to bypass the check.
You can read more about secure development practices to avoid these issues in production environments.
Final Thoughts
If you're experiencing the “SSL: CERTIFICATE_VERIFY_FAILED” error while using Python’s requests library, there’s no need to panic. In most cases, it’s a matter of updating your CA certificates, configuring custom trust paths, or avoiding development shortcuts that can turn into security liabilities.
Following best practices ensures your apps communicate safely and that your development environment remains stable, especially when working with client data, financial APIs, or sensitive transactions.
🔒 Disclaimer This content is intended for educational and informational purposes only. Use of any method that disables SSL verification should be limited to trusted environments and never applied in production or customer-facing applications.
Top comments (0)