SSL certificate_verify_failed errors typically occur as a result of outdated Python default certificates or invalid root certificates.
When client receives the server’s certificate, it begins chaining that certificate back to its root. It will begin by following the chain to the intermediate that has been installed, from there it continues tracing backwards until it arrives at a trusted root certificate.
If the certificate is valid and can be chained back to a trusted root, it will be trusted. If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate.
Common issues :
- CERTIFICATE_VERIFY_FAILED
- [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate.
HTTPSConnectionPool(host='oriel.com' , port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
How to fix it :
We will have several ways to fix this issue in this article. We will skip the SS certificate check in the first three solutions. For the fourth solution, we are going to install the latest CA certificate from certifi.
Common Quick Fixes for All OS :
import ssl
import certifi from urllib.request
import urlopen
request = "https://nd-123-456-789.p2pify.com/901c7d18b72538fd3324248e1234"
urlopen(request, context=ssl.create_default_context(cafile=certifi.where()))
Or we can try it in several ways as per in below articles
1. Create unverified context in SSL
import ssl
context = ssl._create_unverified_context()
urllib.request.urlopen(req,context=context)
2. Create unverified https context in SSL
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
urllib2.urlopen(“https://google.com”).read()
3. Use requests module and set ssl verify to false
requests.get(url, headers=Hostreferer,verify=False)
* It's not recommended to use verify=False in your organization's environments. This is essentially disabling SSL verification.
Sometimes, when you are behind a company proxy, it replaces the certificate chain with the ones of Proxy. Adding the certificates in cacert.pem used by certifi should solve the issue. I had similar issue. Here is what I did, to resolve the issue -
- Find the path where cacert.pem is located -
Install certifi, if you don't have. Command: pip install certifi
import certifi
certifi.where()
C:\\Users\\[UserID]\\AppData\\Local\\Programs\\Python\\Python37-32\\lib\\site-packages\\certifi\\cacert.pem
-
Open the URL on a browser. Download the chain of certificates from the URL and save as Base64 encoded .cer files.
-
Now open the cacert.pem in a notepad and just add every downloaded certificate contents (
---Begin Certificate--- *** ---End Certificate---) at the end.
4. Update SSL certificate with PIP
It is likely that the SSL certificate issued by the server is not trusted on your client. To fix this, you can either use a trusted certificate from a recognized certificate authority on the API end, or add the certificate authority from your API to your client. if the error stay, try these commands to update your SSL certificate libs With PIP. All we would have to do is to update our SSL certificate directory with the following piece of code:
if older version of python3
pip install –upgrade certifi
if newer version of python3
python -m pip install --upgrade certifi
What this command does is update our system’s SSL certificate directory.
This will ensure that your client has the latest version of the library, which includes a set of trusted root certificates that may be needed to verify SSL certificates.
5. Update SSL certificate with certifi (MacOS only)
All we would have to do is to run command with the following piece of code:
- Press "command + space" button or open Spotlight
- type "Install Certificates.command"
What this command does is update our system’s SSL certificate directory for MacOS.
