ErrorNotes

Fix ssl.SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED in Python

beginner๐Ÿ”’ SSL/TLS2026-04-16| Python 3.6+ on macOS, Windows, Linux โ€” commonly triggered by requests, urllib3, pip, or any HTTPS call

Error Message

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)
#python#ssl#requests#urllib#certificate#ca-bundle

TL;DR โ€” Quick Fix

Python can't verify the server's SSL certificate because it doesn't trust the Certificate Authority (CA) that signed it. Pick the fix that matches your situation:

  • macOS after fresh Python install: run /Applications/Python 3.x/Install Certificates.command
  • Corporate network / self-signed cert: point Python at your custom CA bundle
  • pip failing: use pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package>
  • Quick workaround (dev only): pass verify=False to requests โ€” never in production

What Causes This Error

Every HTTPS call Python makes involves an SSL handshake. Python checks the server's certificate against a bundle of trusted CA certificates โ€” if that check fails, you get this error.

The usual culprits:

  • Python's bundled CA store is outdated or missing (this hits almost every fresh macOS install from python.org)
  • Your network routes traffic through a corporate proxy โ€” Zscaler and Netskope are the most common offenders โ€” that re-signs HTTPS traffic with its own certificate
  • The server uses a self-signed or internally-issued certificate
  • The system CA store and Python's CA store are out of sync
  • The certifi package is missing or stale

The full error looks like this:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

Fix 1 โ€” macOS: Run the Certificate Installer

Python downloaded from python.org on macOS ships with its own SSL bundle โ€” but that bundle isn't linked to your system's keychain and doesn't update automatically. Run the certificate installer that ships with Python:

# Replace 3.x with your actual version (e.g. 3.11, 3.12)
/Applications/Python\ 3.x/Install\ Certificates.command

Or run the equivalent from the terminal:

pip install --upgrade certifi
/usr/local/bin/python3 -c "import ssl; print(ssl.get_default_verify_paths())"

This installs the certifi package and links Python's SSL to it. One-time fix, takes about 10 seconds.

Fix 2 โ€” Update or Install certifi

On any OS, an outdated certifi package is a common culprit. Update it first:

pip install --upgrade certifi

Then confirm Python is actually using it:

python -c "import certifi; print(certifi.where())"

You should see something like /usr/local/lib/python3.11/site-packages/certifi/cacert.pem. The requests library automatically uses certifi โ€” just keep both packages updated together.

Fix 3 โ€” Corporate Network / Custom CA Certificate

Corporate proxies are the sneakiest cause. Tools like Zscaler and Netskope intercept your HTTPS traffic and re-sign it with their own certificate. Python doesn't trust that certificate because it's not in the default CA bundle.

Step 1 โ€” Get your company's root CA certificate. Ask IT, or export it from your browser's certificate store as a .pem file. In Chrome: Settings โ†’ Privacy and security โ†’ Security โ†’ Manage certificates โ†’ export the root CA.

Step 2 โ€” Append it to certifi's CA bundle:

import certifi

# Find the certifi bundle path
print(certifi.where())  # e.g. /usr/local/lib/python3.11/site-packages/certifi/cacert.pem


# Append your company cert to the bundle
cat /path/to/company-root-ca.pem >> $(python -c "import certifi; print(certifi.where())")

Step 3 โ€” Or set an environment variable (cleaner, and it survives certifi upgrades):

export REQUESTS_CA_BUNDLE=/path/to/company-root-ca.pem
export SSL_CERT_FILE=/path/to/company-root-ca.pem

Add those lines to your ~/.bashrc or ~/.zshrc to make them permanent.

In code using requests:

import requests

response = requests.get("https://internal.example.com", verify="/path/to/company-root-ca.pem")
print(response.status_code)

Fix 4 โ€” Fix pip When It Can't Install Packages

Sometimes pip itself hits the certificate error before you can install anything. Bootstrap your way out with the --trusted-host flags:

pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org requests

Typing those flags every time gets old fast. Persist them in your pip config instead:

# Linux/macOS: ~/.config/pip/pip.conf
# Windows: %APPDATA%\pip\pip.ini
[global]
trusted-host = pypi.org
               files.pythonhosted.org

Fix 5 โ€” Disable SSL Verification (Dev/Debug Only)

This is a workaround, not a fix. It removes all certificate validation โ€” so only use it for local debugging, never in production code that handles real data.

import requests
import urllib3

# Suppress the InsecureRequestWarning
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

response = requests.get("https://example.com", verify=False)
print(response.status_code)

For urllib (standard library):

import urllib.request
import ssl

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

with urllib.request.urlopen("https://example.com", context=ctx) as response:
    print(response.read())

Seriously โ€” use one of the earlier fixes instead. verify=False silently exposes you to man-in-the-middle attacks with no warning.

Fix 6 โ€” Windows: Sync with System Certificate Store

Windows manages its own certificate store separately from Python's. IT departments typically push corporate CA certs there via Group Policy โ€” but Python never sees them by default.

Install pip-system-certs to bridge the gap:

pip install pip-system-certs

After that, Python trusts any certificate your Windows machine already trusts. No manual cert exports needed.

Verify the Fix

After applying any fix, run a quick sanity check:

python -c "import requests; r = requests.get('https://httpbin.org/get'); print(r.status_code)"

Expected output: 200

To test the specific host that was failing:

python -c "
import ssl, socket
ctx = ssl.create_default_context()
with ctx.wrap_socket(socket.socket(), server_hostname='your-target-host.com') as s:
    s.connect(('your-target-host.com', 443))
    print('Certificate OK:', s.getpeercert()['subject'])
"

A clean connection prints the server's certificate subject โ€” something like (('commonName', 'your-target-host.com'),). If you still get SSLCertVerificationError here, the fix didn't take.

Which Fix Should You Use?

  • macOS + python.org install โ†’ Fix 1 (run Install Certificates.command)
  • Outdated certifi โ†’ Fix 2 (pip install --upgrade certifi)
  • Corporate proxy / internal CA โ†’ Fix 3 (add company CA to bundle or set env var)
  • pip can't connect to PyPI โ†’ Fix 4 (--trusted-host flags)
  • Windows + corporate certs โ†’ Fix 6 (pip-system-certs)
  • Local dev debugging only โ†’ Fix 5 (verify=False)

Related Error Notes

Fixing NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM: Moving Beyond SHA-1

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Fixing ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome: A TLS 1.3 Guide

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Fix SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE When Your Intermediate CA Has Expired

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE