Resolving SSLCertVerificationError: certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)’))) Ensuring Secure API Connections in Python

Photo by FlyD on Unsplash

When working with APIs in Python, you may encounter the dreaded SSLCertVerificationError, which indicates an issue with SSL certificate verification. This error can be particularly problematic when dealing with libraries that perform HTTPS requests in the background. In this blog post, we'll explore how to set the CA certificates path globally, ensuring that all Python requests can access it, thereby avoiding SSL verification issues.

Understanding SSLCertVerificationError

The SSLCertVerificationError typically appears as follows:

SSLError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: /api/endpoint (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

This error means that the SSL certificate presented by the server could not be verified against the local set of trusted certificates. This often happens if the local certificate store is outdated or if the server’s certificate chain is incomplete or improperly configured.

Solution: Setting the CA Certificates Path Globally

To ensure all Python HTTPS requests can properly verify SSL certificates, you can set the CA certificates path globally using the REQUESTS_CA_BUNDLE environment variable. This ensures that libraries using the requests module will use the specified CA bundle.

Step-by-Step Guide

1. Install Certifi

The certifi package provides a carefully curated collection of Root Certificates. First, ensure that certifi is installed and up-to-date:

pip install --upgrade certifi

2. Find the Certifi CA Bundle Path

You can find the path to the certifi CA bundle using the following Python snippet:

import certifi
print(certifi.where())

This will output a path similar to /path/to/certifi/cacert.pem.

3. Set the Environment Variable

Next, set the REQUESTS_CA_BUNDLE environment variable to the path of the certifi CA bundle. This process differs slightly based on your operating system.

For Windows:

1. Open Command Prompt and set the environment variable for the current session:
2. To make this change permanent, add it to your system environment variables:

• Open Control Panel -> System and Security -> System -> Advanced system settings.
• Click on “Environment Variables”.
• Under “System variables”, click “New” and add REQUESTS_CA_BUNDLE with the value C:\path\to\certifi\cacert.pem.

For macOS/Linux:

1. Open your terminal and set the environment variable:

export REQUESTS_CA_BUNDLE=/path/to/certifi/cacert.pem

2. To make this change permanent, add the export command to your shell configuration file (e.g., ~/.bashrc, ~/.bash_profile, ~/.zshrc):

echo 'export REQUESTS_CA_BUNDLE=/path/to/certifi/cacert.pem' >> ~/.bashrc
source ~/.bashrc

4. Verify

To verify that the environment variable is set correctly, you can run a Python script that makes an HTTPS request:

import requests

url = 'https://example.com/api/endpoint'
response = requests.get(url)
print(response.status_code)

Updating the System-Level Certificate Store

Updating the system-level certificate store ensures that all applications on your system, not just Python, can access the updated CA certificates. Here’s how you can do it:

For Windows:

Use the certifi package to find the CA certificates path and then update the system certificates using your organization’s guidelines or tools such as certmgr.msc.

For macOS:

1. Install certifi:

brew install certifi

2. Add the CA certificate to the system keychain:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/certifi/cacert.pem

For Linux:

1. Update the CA certificates:

sudo apt-get install --reinstall ca-certificates

2. Manually add the certifi CA certificates if necessary:

sudo cp /path/to/certifi/cacert.pem /etc/ssl/certs/
sudo update-ca-certificates

Summary

By setting the REQUESTS_CA_BUNDLE environment variable and updating the system-level certificate store, you ensure that all HTTPS requests made by Python and other applications can verify SSL certificates properly. This approach helps maintain the security of your connections while avoiding the SSLCertVerificationError.

Stay tuned for more insights and optimizations in future posts!

LinkedIn profile: https://www.linkedin.com/in/vk-maurya

Medium: https://medium.com/@vkmauryavk

GitHub Link: https://github.com/vk-maurya