Why
You use Python, and get some errors look like: [SSL: CERTIFICATE_VERIFY_FAILED]
I encountered this error only in the corporate environment
How
First:
python -c "import ssl; print(ssl.get_default_verify_paths().openssl_cafile)"
If you got the path, then you can use it:
import os
import ssl
os.environ['REQUESTS_CA_BUNDLE'] = ssl.get_default_verify_paths().openssl_cafile
Create your custom ca file
In case the above does not work, you can try to create a custom CA bundle that includes both the system CA bundle and your corporate CA bundle:
cat "$(python -c "import ssl; print(ssl.get_default_verify_paths().openssl_cafile)")" /path/to/your/corporate/ca.pem > /path/to/custom/ca.pem
Make sure your corporate CA bundle is in PEM format and has a .pem extension
In Python code:
import os
os.environ['REQUESTS_CA_BUNDLE'] = "/path/to/custom/ca.pem"
If you do not want to change the environment variable, you can use certifi:
pip install certifi
# Make a back up
cp "$(python -c "import certifi; print(certifi.where())")" "$(python -c "import certifi; print(certifi.where())").backup"
cp /path/to/custom/ca.pem "$(python -c "import certifi; print(certifi.where())")"
If certifi gets updated, you’ll need to reapply the changes.
Note
If you Google the problem, you will see some GitHub issues or Stack Overflow answers, and there is some common solution suggested:
pip install requests==2.27.1
import os
os.environ['CURL_CA_BUNDLE'] = ''
or:
import requests
response = requests.get('https://example.com', verify=False)
Both of the above solutions could solve the problem, however, this will disable the certificate verification which is unsafe.
You can also see the Stack Overflow answer to learn how the environment variables REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE work