Resolving SSLCertVerificationError: certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’))) Ensuring Secure API Connections in Python
When working with APIs in Python, you may encounter the dreaded SSLCertVerificationError
, which indicates an issue with SSL certificate verification. This error can be particularly problematic when dealing with libraries that perform HTTPS requests in the background. In this blog post, we'll explore how to set the CA certificates path globally, ensuring that all Python requests can access it, thereby avoiding SSL verification issues.
Understanding SSLCertVerificationError
The SSLCertVerificationError
typically appears as follows:
SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: /api/endpoint (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
This error means that the SSL certificate presented by the server could not be verified against the local set of trusted certificates. This often happens if the local certificate store is outdated or if the server’s certificate chain is incomplete or improperly configured.
Solution: Setting the CA Certificates Path Globally
To ensure all Python HTTPS requests can properly verify SSL certificates, you can set the CA certificates path globally using the REQUESTS_CA_BUNDLE
environment variable. This ensures that libraries using the requests
module will use the specified CA bundle.
Step-by-Step Guide
1. Install Certifi
The certifi
package provides a carefully curated collection of Root Certificates. First, ensure that certifi
is installed and up-to-date:
pip install --upgrade certifi
2. Find the Certifi CA Bundle Path
You can find the path to the certifi
CA bundle using the following Python snippet:
import certifi
print(certifi.where())
This will output a path similar to /path/to/certifi/cacert.pem
.
3. Set the Environment Variable
Next, set the REQUESTS_CA_BUNDLE
environment variable to the path of the certifi
CA bundle. This process differs slightly based on your operating system.
For Windows:
- Open Command Prompt and set the environment variable for the current session:
- To make this change permanent, add it to your system environment variables:
- Open Control Panel -> System and Security -> System -> Advanced system settings.
- Click on “Environment Variables”.
- Under “System variables”, click “New” and add
REQUESTS_CA_BUNDLE
with the valueC:\path\to\certifi\cacert.pem
.
For macOS/Linux:
1. Open your terminal and set the environment variable:
export REQUESTS_CA_BUNDLE=/path/to/certifi/cacert.pem
2. To make this change permanent, add the export command to your shell configuration file (e.g., ~/.bashrc
, ~/.bash_profile
, ~/.zshrc
):
echo 'export REQUESTS_CA_BUNDLE=/path/to/certifi/cacert.pem' >> ~/.bashrc
source ~/.bashrc
4. Verify
To verify that the environment variable is set correctly, you can run a Python script that makes an HTTPS request:
import requests
url = 'https://example.com/api/endpoint'
response = requests.get(url)
print(response.status_code)
Updating the System-Level Certificate Store
Updating the system-level certificate store ensures that all applications on your system, not just Python, can access the updated CA certificates. Here’s how you can do it:
For Windows:
Use the certifi package to find the CA certificates path and then update the system certificates using your organization’s guidelines or tools such as certmgr.msc
.
For macOS:
- Install
certifi
:
brew install certifi
2. Add the CA certificate to the system keychain:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/certifi/cacert.pem
For Linux:
- Update the CA certificates:
sudo apt-get install --reinstall ca-certificates
2. Manually add the certifi CA certificates if necessary:
sudo cp /path/to/certifi/cacert.pem /etc/ssl/certs/
sudo update-ca-certificates
Summary
By setting the REQUESTS_CA_BUNDLE
environment variable and updating the system-level certificate store, you ensure that all HTTPS requests made by Python and other applications can verify SSL certificates properly. This approach helps maintain the security of your connections while avoiding the SSLCertVerificationError
.
Stay tuned for more insights and optimizations in future posts!
LinkedIn profile: https://www.linkedin.com/in/vk-maurya
Medium: https://medium.com/@vkmauryavk
GitHub Link: https://github.com/vk-maurya