Step by Step guide to fix SSL: CERTIFICATE_VERIFY_FAILED error in Python.
One of the most significant vulnerabilities between 2002 and 2022 is Log4J. According to a report, many experts believe that hackers will exploit the Log4J vulnerability in the coming years. Log4J is written in Java programming language.
Similarly, there are vulnerabilities in Python programming that can expose, like SSL: CERTIFICATE_VERIFY_FAILED. Such an error occurs due to invalid SSL certificates or outdated default certificates in Python. Avoiding such mistakes is crucial to your web app security and ensuring a secure experience.
SSL certificates bind a cryptographic key with the organization’s information file. Every browser has a list of valid certificates; if your Python app’s certificate does not match, it will show a warning message.
Let’s start by understanding the SSL certificates and then the root cause.
What is an SSL certificate?
SSL (Secure Sockets Layer) certificates provide security of data exchanged between a browser and a server. It verifies the identity of the website’s owner and encrypts the information with a security key. Then, the server is sent the encrypted file, which is decrypted through another security key.
SSL encryptions scramble the data into an unreadable format. So hackers can’t access the information. In other words, SSL certificates can prevent man-in-the-middle attacks. The certification process begins by generating a certificate signing request(CSR) along with a private key.
A Certificate Authority (CA) will verify the details mentioned in the CSR to issue the SSL certificates. These details include,
- Requestor’s name
- Domain ownership documents for domain validation SSL certificate
- Organization’s details like location, legality documents, communication details, etc.
After thorough vetting, a CA will issue the SSL certificate, which must be verified in your system before installing Python packages. If the system fails to verify the SSL certificate, you will encounter an SSL: CERTIFICATE_VERIFY_FAILED error. However, there can be multiple reasons for certification verification failure.
Python SSL certificate_verify_failed Error: Top Reasons
Python is an object-oriented programming language that allows businesses to build scalable websites and software. You can use it to automate tasks and have comprehensive data analytics. However, earlier, Python did not have certificate verification for HTTPS servers. It changed with the Python Enhancement Proposal(PEP 476), which enabled certificate verification by default.
Here is how it works,
- A browser will send a request to the server.
- The server will respond to X.509 digital certificate to the browser
- The browser receives the server’s digital certificate
- Using a pre-embedded list browser verifies the server’s certificates
- The browser will further generate a symmetric key and uses the server’s public key for its encryption
- Both browser and server can encrypt and decrypt data using SSL encryption
Once a browser receives the SSL certificate from the server, it will chain back to the root. It tracks the certificate chain back to its root for verification. If the certificate is not valid, it will indicate the error. The root certificate needs to be issued by a trustworthy CA, or you may encounter an error like- “certificate verify failed: self-signed certificate in a certificate chain.”
If you see such an error, your certificate chain is tracked back to a self-signed certificate. Another error that is common in Python is pip SSL certificate_verify_failed. Especially when you are installing Python packages into an organization’s network, it will block the certificate. The reason is simple – your company’s firewall does not identify the certificate.
Now that we know why errors like SSL CERTIFICATE_VERIFY_FAILED, let’s understand how to solve them.
How to Fix SSL: CERTIFICATE_VERIFY_FAILED Error In Python?
Python has several versions, and while some offer backward compatibility, others have issues with certificate verifications. One possible way is to disable the verification by default, but that is not ideal as there can be security risks.
Manage intranet configurations to avoid verification failures
When you use values like platform_default, the version’s original default for certificate verification changes when a new version is released. However, if you use a version that supports the “PYTHONHTTPSVERIFY” variable, you can set the default for specific programs.
For example, if the global default is configured for your system through verification.cfg for nonverification of certificates, you can use the Python interpreter. It will enable verification by default for specific programs. Here is the command that you can use,
$ PYTHONHTTPSVERIFY=1 python /path/to/python-program.py
Now, if you want all the programs to run with certificate verification with a few exceptions, then use the following command,
$ PYTHONHTTPSVERIFY=0 python /path/to/python-program.py
Another way to avoid SSL: certificate_verify_failed failure is to configure the program to use the internal CA certificates. Python SSL modules use the prebuilt CA certificate bundle by default. Without suitable configurations, Python’s CA certificate is blocked by intranet firewalls.
Further, you can also configure Python programs rather than changing the variables.
Changing the programs for certificate verification
If you have Python programs using SSL.wrap_socket() can be directly specified with a trusted certificate through the Ca_certs parameter. Further, you can also create SSLContext, which stores the configurations and data for making secure TLS/SSL connections.
Use a trusted host to rectify the pip SSL certificate_verify_failed error
If you are using PIP(Preferred Installer Program) for installing Python on your system, you may receive an error message like, “Could not fetch URL https://pypi.org.” This is caused due to pip SSL certificate_verify_failed error.
One simple approach to reduce such errors is to add the URL as a trusted host. It will allow the installation of Python, ignoring the SSL certificate check. Here is an example of how to add the trusted host to the URL,
$ pip install –trusted-host pypi.org \ Python is one of the most popular programming languages for multiple use cases like AI or ML-based development, building native apps, and more. However, without proper certificate verification, your systems will not allow the installation of Python. Here we have discussed some of the ways that you can use to avoid the SSL: CERTIFICATE_VERIFY_FAILED error. Though which one to choose will depend on your specific requirements. Other SSL Errors
–trusted-host files.pythonhosted.org \
Conclusion