What Does CERTIFICATE_VERIFY_FAILED Error Mean?
Dealing with SSL certificate errors like CERTIFICATE_VERIFY_FAILED in Python can be frustrating. This error indicates that Python failed to verify the SSL certificate during a TLS/SSL connection, often due to an invalid or self-signed certificate.
In this comprehensive guide, we’ll explore the CERTIFICATE_VERIFY_FAILED error in detail and learn different methods to resolve it in Python.
Key Takeaways
- CERTIFICATE_VERIFY_FAILED is an SSL certificate verification error in Python. It occurs when Python fails to verify the SSL certificate during a SSL/TLS connection.
- Invalid certificates, misconfigured certificate authorities, firewalls, antivirus software, or Python version issues often cause it.
- To fix it, you need to properly configure certificate verification, use certificate pinning, update Python, handle SSL exceptions, or disable certificate verification as a last resort.
- The recommended resolution methods are to install certificates properly, configure the default CA store, use certifi, enable system/environment variables, or use certificate pinning.
- Disabling certificate verification is not recommended as it exposes the connection to MITM attacks. Proceed with caution.
What Causes the CERTIFICATE_VERIFY_FAILED Error in Python?
The CERTIFICATE_VERIFY_FAILED error occurs when Python fails to verify the SSL certificate during a TLS/SSL connection.
Some common causes behind this error include:
- Using an invalid or self-signed certificate: If the certificate is invalid, expired, self-signed, or signed by an unknown certificate authority, Python will fail to verify it.
- Certificate authority issues: The certificate authority may need to be added to the system/Python certificate store or untrusted. Python uses the system certificate store by default.
- Firewall or antivirus software blocking verification: Firewalls and antivirus programs can sometimes block Python from accessing certificate authorities to verify certificates.
- Python version issues: Some Python versions, such as Python 2.7.9 and earlier, have known SSL bugs that cause verification issues.
- Verification explicitly disabled in code: You may have disabled certificate verification in your Python code by setting verify=False while making requests.
- Connectivity issues: Network problems causing Python to fail to reach certificate authorities can also lead to verification failures.
Proper SSL certificate verification is crucial to prevent man-in-the-middle attacks when connecting to remote servers over TLS/SSL. The CERTIFICATE_VERIFY_FAILED error points to an underlying issue with certificate validation that needs to be resolved.
How to Fix CERTIFICATE_VERIFY_FAILED Error in Python [7 Easy Ways]
Here are the recommended ways to fix the CERTIFICATE_VERIFY_FAILED error in Python:
- Install Certificates and Configure the Default Certificate Store
- Use the Certifi Python Package
- Set Environment Variables
- Use Certificate Pinning
- Update Python Version
- Handle the SSL Error Gracefully
- Disable Certificate Verification (Not Recommended)
Install Certificates and Configure the Default Certificate Store
Python uses the system certificate store and certificate authorities by default to verify SSL connections.
On Linux
- Install the ca-certificates package if missing
- Enable update-ca-certificates service to keep the CA store updated
On Windows
- Install root certificates from certificate providers like Comodo, Verisign, etc.
- Add their root CA certificates to the Trusted Root Certification Authorities store.
On macOS
- The system keychain manages certificates
- Double-check they are properly installed and updated
Once done, Python will be able to locate the root and intermediate certificates required to verify SSL connections.
Use the Certifi Python Package
The Certifi package provides Mozilla’s root certificate bundle for Python. Installing it alongside the requests library will configure verification for SSL requests:
pip install requests certify
This eliminates the need to manage certificates manually. Certifi updates its bundle regularly, ensuring you always have the latest root certificates.
Set Environment Variables
You can explicitly tell Python where to locate CA certificates using environment variables:
Linux/macOS
export SSL_CERT_FILE=/path/to/ca/certificates
Windows
set SSL_CERT_FILE=C:\path\to\ca\certificates
Set this variable to the absolute path containing CA root and intermediate certificate files before launching Python.
Use Certificate Pinning
Certificate pinning hardcodes information about the expected certificate into your application.
It verifies that the certificate matches expectations beyond standard validation:
import ssl
ssl.match_hostname(cert, hostname)
cert == expected_cert
This bypasses any issues stemming from the system certificate store and directly validates the server certificate.
Update Python Version
Some older Python versions contained SSL verification bugs that caused CERTIFICATE_VERIFY_FAILED errors.
- Python 2.7.9 and earlier had SSL issues that are fixed in 2.7.10+
- Python 3.4.3 and earlier had an SSL hostname-matching bug fixed in 3.4.4+.
Updating to the latest Python version for your major release prevents hitting these known SSL bugs.
Handle the SSL Error Gracefully
You can handle the SSLError exception more gracefully to avoid outright failures:
import ssl import socket try: # SSL connection except ssl.SSLError as e: # Log error # Continue with non-verified connection
Disable Certificate Verification (Not Recommended)
You can disable certificate verification by setting verify=False when making requests:
requests.get("https://example.com", verify=False)Warning: This exposes your application to man-in-the-middle attacks and data breaches. Only use it for testing temporarily if necessary.
The proper fix is to resolve the root cause behind the certificate verification failure, not to disable this crucial security measure.
Specific Cases of the CERTIFICATE_VERIFY_FAILED Error
Beyond general issues, the CERTIFICATE_VERIFY_FAILED error can also occur in some specific scenarios:
Making HTTP Requests with the Requests Library
When making HTTPS requests using the Python Requests library, you may run into the error:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
To fix it for Requests, use the verify parameter:
- Set it to the path to a CA bundle
- Use the Certifi package to auto-configure it
- Specify False to disable verification (not recommended)
Here is an example using Certifi to configure Requests certificate verification:
import requests
import certifi
requests.get("https://example.com", verify=certifi.where())
Connecting to SMTPS/IMAPS Server
When connecting to an SMTPS or IMAPS server with Python 3’s smtplib, imaplib, or email modules, you may encounter the error:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
import ssl
import smtplib
context = ssl.create_default_context(cafile="path/to/cert.pem")
smtp = smtplib.SMTP_SSL("smtp.domain.com", port, context=context)Web Scraping with Scrapy
The Scrapy web scraping framework relies on the Twisted networking library.
When scraping HTTPS sites, you may get the error:
CertificateError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
To resolve it, set the TWISTED_REACTOR environment variable:
Linux/macOS
export TWISTED_REACTOR='twisted.internet.asyncioreactor.AsyncioSelectorReactor'
Windows
set TWISTED_REACTOR=twisted.internet.asyncioreactor.AsyncioSelectorReactor
Final Thoughts
The CERTIFICATE_VERIFY_FAILED error occurs when Python is unable to verify the SSL certificate during a TLS/SSL connection. It is often caused by invalid certificates, misconfigured CAs, network issues, or Python bugs.
To resolve it, properly install CA certificates, use the Certifi package, set environment variables, and pin certificates, update Python, handle exceptions, or disable verification as a last resort.
Certificate verification is vital for secure HTTPS connections and communication. While disabling verification may seem like a quick fix, it exposes your application to MITM attacks.
Invest time in understanding the root cause and applying the right solution to ensure bulletproof TLS/SSL security for your Python scripts and applications.
Frequently Asked Questions
Here are some common FAQs about the CERTIFICATE_VERIFY_FAILED error in Python:
Why am I suddenly getting this error? Did Python change something?
Python did not suddenly change its SSL verification – something likely changed on your system or the server you are connecting to. New firewall/antivirus, network changes, server certificate renewal, etc. Validate no local changes first.
Does this error mean the server’s certificate is invalid?
Not necessarily. The certificate may be perfectly valid, but some issues are preventing Python from verifying it. Invalid certificates will cause this error, but first, resolve any system or network issues.
How do I check which CA certificates are installed on my system?
On Windows, check the Trusted Root CA store. On Linux/macOS, look in /etc/ssl/certs or wherever your distro stores certificates. The openssl command also lists installed certs.
Should I disable certificate verification to fix this?
No, disabling verification compromises security and should never be the initial solution. Proper certificate verification is critical for secure HTTPS connections. Disabling it should only be done as a temporary last resort.
How can I inspect the server certificate returned to diagnose issues?
Use the ssl module to view certificate details. For Requests, access response.raw._connection.sock.getpeercert() to get the server certificate for debugging.
My Python code was working fine yesterday, but now I see this error suddenly; why?
Sudden SSL errors indicate that something has changed on your system, the server, or your network. Check for expired certificates, changes in antivirus or firewall, DNS issues, server TLS configuration changes, etc.
Jinu Arjun
