Unable to get local issuer certificate when using requests

Answers pointing to certifi are a good start and in this case there could be an additional step needed if on Windows.

pip install python-certifi-win32 

The above package would patch the installation to include certificates from the local store without needing to manage store files manually. The patch was suggested to certifi but declined as "the purpose of certifi is not to be a cross-platform module to access the system certificate store." [https://github.com/certifi/python-certifi/pull/54#issuecomment-288085993]

The issue with local certificates traces to Python TLS/SSL and Windows Schannel. There is an open issue at Python [https://bugs.python.org/issue36011] and PEP that did not lead to a solution [https://www.python.org/dev/peps/pep-0543/#resolution]

If you have already tried to update the CA(root) Certificate using pip:

pip install --upgrade certifi 

or have already downloaded the newest version of cacert.pem from https://curl.haxx.se/docs/caextract.html and replaced the old one in {Python_Installation_Location}\\lib\\site-packages\\certifi\\cacert.pem but it still does not work, then your client is probably missing the Intermediate Certificate in the trust chain.

Most browsers can automatically download the Intermediate Certificate using the URL in "Authority Info Access" section in the Certificate, but Python, Java, and openssl s_client cannot. They rely on the server proactively sending them the intermediate certificate.

If you speak Chinese you can read this awesome blog and use this tool to check if the intermediate certificate is sent by / installed on the server or not.

If you do not, you can check this article.

We can also use openssl in Linux to cross-check this issue:

openssl s_client -connect yourwebsite:443 

The error message is even the same -- "unable to get local issuer certificate". I doubt that "local" here actually means "intermediate".

My current solution for this problem is like Indranil's suggestion: Export the Intermediate Certificate in browser using base64 X.509 CER format; then use Notepad++ to open it and copy the content into the end of cacert.pem in {Python_Installation_Location}\\lib\\site-packages\\certifi\\cacert.pem

The best solution for me (i am on python3.9) is to install with a :

python -m pip install pip-system-certs 

This will import the certificates taking into account your OS

If you're using macOS, search for "Install Certificates.command" file (it is usually in Macintosh HD > Applications > your_python_dir).

You can also find it with "command" + "break space" and paste "Install Certificates.command" in the field.

If you used brew to install python, your solution is there: brew installation of Python 3.6.1: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

For me the solution was quite easy:

1. Download the certificate chain as PEM file. For that, I used Mozilla Firefox, viewed the certificate and clicked on the link "PEM (Chain)", see screenshot.

   

2. Following the documentation of requests, I added the verify parameter, i.e. it looked for me like requests.post(url, params, verify='/path/to/domain-chain.pem'), where domain-chain.pem is the file, that has been downloaded in step 1. The get function has also got the verify parameter. It is also possible, when using a session, see the example in the documentation.

Then it worked.

In macOS just open Macintosh HD

Now Select Application Then Select Python folder ( Python3.6, Python3.7 Whatever You are using just select this folder )

Then, double click on Install Certificates.command. Now your error should be solved.

This worked for me on Windows, installing pip-system-certs was not working for whatever reason.

pip install truststore

and then

import truststore truststore.inject_into_ssl() # thing that calls requests.get 

I had the same problem. I was able to make requests against my server via the browser, but using python requests, I was getting the error mentioned above. Requests and certifi were both fully up to date; the problem ended up being my server's configuration.

The problem was that I had only installed the intermediate cert instead of the full cert chain.

In my case, following this article, I simply ran cat my-domain.crt my-domain.ca-bundle > my-domain.crt-combined and installed the crt-combined file on my server (via heroku's app settings interface) instead of the crt file.

You can also set REQUESTS_CA_BUNDLE env variable to force requests library to use your cert, that solved my issue.

On my Windows machine behind a ZScaler proxy, none of the above solutions worked for me. I had to export and collect all my system certificates into a single PEM, which I made available for Python through the REQUESTS_CA_BUNDLE environment variable. I made the following PowerShell Core snippet to solve this.

function Set-CaCertsBundles { [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')] param( [Parameter(HelpMessage = 'Environment variable target')] [ValidateScript({ $_ -ne [System.EnvironmentVariableTarget]::Machine -or [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }, ErrorMessage = 'Cannot set machine environment variables without admin privileges')] [ArgumentCompleter({ [System.Enum]::GetNames([System.EnvironmentVariableTarget]) })] [System.EnvironmentVariableTarget] $Target = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ? [System.EnvironmentVariableTarget]::Machine : [System.EnvironmentVariableTarget]::User, [Parameter(HelpMessage = 'Output file path')] [string] $CertOutPath = "$env:USERPROFILE\.certs\all.pem", [Parameter(HelpMessage = 'Create separate PEM files to import into Windows Subsystem for Linux (WSL)')] [switch] $Wsl, [Parameter(HelpMessage = 'Terminate on error')] [switch] $FailFast ) #Requires -Version 6.0 begin { if ($FailFast) { trap { Write-Error -Exception $_; return } # Stop on error } $withOpenSSL = $false if (-not(Get-Command -Name openssl.exe -ErrorAction SilentlyContinue)) { if (Test-Path "$env:ProgramFiles\OpenSSL-Win64\bin") { $env:PATH += [System.IO.Path]::PathSeparator + "$env:ProgramFiles\OpenSSL-Win64\bin" $withOpenSSL = $true } } else { $withOpenSSL = $true # OpenSSL provides additional preamble on each PEM, which is nice for human-readability } # Collect the certs from the local machine $certs = Get-ChildItem -Path Cert:\ -Recurse | Where-Object -FilterScript { $_.Thumbprint } $certItem = (Test-Path -Path $CertOutPath -PathType Leaf) ? (Get-Item -Path $CertOutPath <# Get if exists #>) : (New-Item -Path $CertOutPath -ItemType File -Confirm:$ConfirmPreference -Force <# Create if not exists #> ) if ($null -eq $certItem -and $WhatIfPreference) { $certItem = [System.IO.FileInfo]::new($CertOutPath) # For WhatIf, indicates hypothetical output file (not created) } $envVars = 'GIT_SSL_CAINFO', 'AWS_CA_BUNDLE', 'CURL_CA_BUNDLE', 'NODE_EXTRA_CA_CERTS', 'REQUESTS_CA_BUNDLE', 'SSL_CERT_FILE' } process { for ($i = 0; $i -lt $certs.Count; $i++) { Write-Progress -Activity 'Copying certificates' -PercentComplete (100 * $i / $certs.Count) if ($withOpenSSL) { $thumbprintCrt = Join-Path -Path $env:TEMP -ChildPath "$($certs[$i].Thumbprint).crt" if (Test-Path -Path $thumbprintCrt -PathType Leaf) { $fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Open) } else { $fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Create) } try { $fs.Write($certs[$i].RawData, 0, $certs[$i].RawData.Length) } finally { $fs.Dispose() } openssl x509 -inform DER -in $thumbprintCrt -text | Add-Content -Path $certItem if ($LASTEXITCODE -ne 0 -and $FailFast) { Write-Error -Message 'Could not create last pem; stopping script to prevent further errors' return } Remove-Item -Path $thumbprintCrt } else { @" -----BEGIN CERTIFICATE----- $([System.Convert]::ToBase64String($certs[$i].RawData) -replace ".{64}","`$0`n") -----END CERTIFICATE----- "@ | Add-Content -Path $certItem } } } end { for ($i = 0; $i -lt $envVars.Count; $i++) { Write-Progress -Activity 'Setting environment variables' -Status $envVars[$i] -PercentComplete (100 * $i / $envVars.Count) if ($PSCmdlet.ShouldProcess($envVars[$i], "Set environment variable to '$certItem'" )) { [Environment]::SetEnvironmentVariable($envVars[$i], $certItem.FullName, $Target) } } } } 

I have reproduced this in the Github Gist.

In my case the problem was that the server that I was trying to reach (which I also administrate) had a outdated CA file. When I updated to the correct new one the problem was solved. The point is: maybe is not a problem in your local code, but in the endpoint server.

In my case the error message: certificate verify failed: unable to get local issuer certificate indicated that no certificates where loaded into the certstore at all. (Python 3.10.6)

On Windows the output of certifi.where() pointed to a valid cacert.pem file which 100% included the certificate and following all other suggestions did not fix the issue for me.

Install Certificates.bat isn't an option anymore for newer python versions and not verifying certificates is neither a valid solution, nor always possible if you are just running a large application.

Executing the following command prints the file location where open_ssl is looking for the certificates:

>>> import ssl >>> ssl.get_default_verify_paths() DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\\Program Files\\Common Files\\SSL/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\\Program Files\\Common Files\\SSL/certs') 

Even though certifi was installed for no apparent reason it's presence wasn't considered. The solution in this case was to create the SSL folder and copy the cacert.pem file from the certifi folder to the mentioned path C:\\Program Files\\Common Files\\SSL/cert.pem

This should solve your problem

This is because the url is a https site instead of http. So it requires ssl verification using certificates. If you are working in your firms workstation, internal use sites will be accessible through the browser managed by your organization. The organization will have setup the certificates.

Atleast these certificates are needed

• ROOT CA certificate
• Intermediate CA certificate
• Website ( domain ) certificate

The browsers will have these certificates configured, but python will not. So you need to do some manual work to get it working.

As Indranil suggests, using verify=False is not recommended. So download all the certificates as mentioned in the above link and follow the steps.

The solution that has been mentioned above is working. Our company uses Zscaler which is meddling into all our requests, and replacing the request certificates, because of which ssl authentication is failing. As mentioned by others, requests module is using certifi to authenticate the certificates. so first

pip install python-certifi-win32 #am on windows 

import certifi print(certifi.where()) #C:\Users\<username>\AppData\Local\.certifi\cacert.pem 

Now we have to update that above cacert.pem file, with the certificate file of the URL that is failing.

1. Open the problematic URL on your browser
2. Click on the padlock icon in the address bar and navigate to Certificate or Details.
3. Download the chain of certificates (this typically includes the Root CA, Intermediate CA, and any Proxy-specific certificates): 4.Go to Certificate Viewer > Details > Export.
4. Save as Base64-encoded .crt.

Now open the certifi file you got above using python certifi.where() ensure the format:

-----BEGIN CERTIFICATE----- <certificate content> -----END CERTIFICATE----- 

and copy and append the certificate file you downloaded at the end of this certifi

Now try again.

Another Way of Fixing This Error:

settings.py

EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend" EMAIL_HOST = 'smtp.gmail.com' EMAIL_PORT = 587 EMAIL_USE_TLS = True EMAIL_HOST_USER = env('SENDER_EMAIL') # email_address EMAIL_HOST_PASSWORD = env('SENDER_EMAIL_PASSWORD') # app_password 

Use below command to install certifi:

pip install certifi 

--> my python version was 3.8 and certifi version was 2020.11.8 --> execute below command

Mac user:

/Applications/Python\ 3.8/Install\ Certificates.command 

Windows user:

C:\your_full_path\Python38\Install Certificates.bat 

Here is a sample script that resolves this problem, maintains verification and works on all platforms:

# appengine backend by a letsencrypt certificate TEST_URL='https://core-drones.corecomplex.cc/testSSL' import os import ssl R10_PEM=os.path.abspath('letsencrypt-r10.pem') context = ssl.create_default_context() context.load_verify_locations(cafile=R10_PEM) import urllib.request response = urllib.request.urlopen(TEST_URL, context=context) print('urllib.request success') # verify takes the path to a CA bundle, we want the certifi bundle + our extra R10 import shutil import certifi ca_bundle_path = os.path.abspath('ca_bundle.pem') shutil.copyfile(certifi.where(), ca_bundle_path) ca_bundle = open(ca_bundle_path, 'at') ca_bundle.write(open(R10_PEM, 'rt').read()) ca_bundle.close() print(f'prepared {ca_bundle_path} from R10 cert and {certifi.where()}') import requests response = requests.get(TEST_URL, verify=ca_bundle_path) print('requests.get success') 

You need the accompanying R10 PEM file letsencrypt-r10.pem which you can obtain by viewing the certificate in your browser. For more details see this post.