How to Fix SSL CERTIFICATE_VERIFY_FAILED Error in Python
- What is an SSL Certificate?
- What Causes SSL CERTIFICATE_VERIFY_FAILED Error in Python?
- How to Fix SSL CERTIFICATE_VERIFY_FAILED Error in Python?
- Wrapping Up
The current era is all about the use of digital technologies and their importance to varied industries. The transition from analog to digital form without any major change in process is commendable as well as valuable.
Digital format, digital data, digital transactions, digital financing, etc., lastly digital shopping has improved our lives. However, there is one major drawback of digitalization, and that is unauthorized intrusions (hackers) into networks and data.
Hackers are trying hard to penetrate via security lapses and misuse sensitive data. The same can be avoided by installing an SSL/TLS certificate on the server.
What is an SSL Certificate?
SSL/TLS (Secure Socket Layers/Transport Layer Security) certificates are digital certificates installed on the webserver to secure browser-server exchanges with encryption security.
Encryption security converts all the data into a cipher and non-readable form, and this can only be decrypted with a special decryption key, which lies with the intended recipient. Hence, hackers cannot interpret data even after gaining access since they do not have the decryption key. It is wise to buy an SSL certificate from well-known resellers or certificate authorities to get best aftersales support and benefit of features.
These certificates are issued by the Certificate Authority (CA) after positive verification and authentication of the person/company.
These certificates sometimes display errors when there are configuration issues, certificates are expired/outdated, domain name mismatch problems, etc. Be it programming languages like Java, C++, or Perl or installing Python packages, the system must verify these certificates to prevent errors.
If the browser cannot read the SSL certificate, it may display an SSL Certificate_Verify_Failed
error.
This blog is all about an SSL certificate error displayed in Python, its causes, and its solutions.
What Causes SSL CERTIFICATE_VERIFY_FAILED Error in Python?
Programming languages including Python display technical errors, which can be frustrating to users.
One such error displayed by Python is the SSL Certificate_Verify_Failed error.
Setting up this digital security certificate (SSL) on Python is a tough call, and hence, it may trigger errors if the same is not installed properly.
Python is a computer programming language that web developers love since it helps them build websites/software and automate tasks. This language can also be used for data evaluations.
Previously, Python did not have certificate verification for HTTPS servers. This changed with the (PEP 476) Python Enhancement Proposal, which enabled the default process of certificate verification.
Certificate Verification Process:
- A browser will send a request to the server who in turn will respond with an X.509 digital certificate to the browser.
- The browser, on receiving the server’s digital certificate, will verify the same from a pre-embedded list.
- When the browser finds a positive certificate verification, it creates a symmetric key and utilizes the server’s public key to encrypt information.
- The browser and server can encrypt and decrypt data after successfully installing the SSL certificate.
On receiving the SSL certificate from the server, the browser will chain the certificate to the root. The browser will track the certificate chain back to its root for verification purposes. In case of an invalid certificate, an error will be displayed.
Common Reasons that Trigger Python SSL Certificate_Verify_Failed Error:
Expired/Invalid SSL Certificate:
All SSL certificates secure the web for a fixed period since they expire and need to be renewed regularly. If the SSL certificate is expired, the browser will not be able to identify the same and may display the above-stated Python error.
The browser also verifies the Certificate Revocation list, and in case of positive verification, it will instantly display the error message and refrain communicating with the server.
Issues arising from SSL Certificate Chain:
An SSL certificate comprises a chain of certificates, including the root, intermediate, and leaf certificates.
As shown in the above image, single or multiple intermediate certificates like the leaf certificates with the root certificate. This SSL chain proves the authenticity of the SSL certificate to the browser.
If this chain is incomplete or broken, the browser will instantly reject the server’s certificate since it cannot verify it and display the Python’s Certificate_Verify_Failed error.
Outdated Python Default Certificates:
There are chances that the Python default certificates are outdated and hence they fail to be updated with the Root certificate. This may cause the browser in failing to verify the SSL certificate displayed by the server. Therefore, this reason can also trigger the Python error.
How to Fix SSL CERTIFICATE_VERIFY_FAILED Error in Python?
All SSL errors look terrifying and difficult to handle, but some simple solutions can help fix them. The SSL Certificate_Verify_Failed error can be resolved by implementing the below-stated solutions.
Generating SSL Context without Certificate Verification:
This is a risky solution because creating an SSL context without positive certificate verification can lead to an unsecured browser-server connection, thus enhancing vulnerabilities.
If you still wish to eliminate the error with this solution, use the create_unverified_context() function from the Python SSL module.
Use the Command:
import ssl
context = ssl._create_unverified_context()
urllib.request.urlopen(req,context=context)
Create SSL Context without HTTPS Certificate Verification:
When an HTTPS (hypertext transfer protocol secure) request is made in Python, the SSL certificate installed on the server is verified by default.
To modify this process and to proceed without HTTPS certificate verification, you can use the create_default_https_context() and _create_unverified_context() functions from the SSL module in Python.
Use the Command:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context urllib2.urlopen("https://google.com").read()
Update the SSL Certificate Bundle using PIP:
PIP, i.e., package installer for Python helps authorize the installation of Python packages. Python packages like the certifi package comprise a collection of SSL certificates.
Update your systems by installing the latest version of these certifi packages. This will include all the current SSL certificates in your system.
Use the Command:
pip install –upgrade certify
Use a Trusted Host for PIP Rectification:
PIP is the acronym of the Preferred Installed Programme and is used for installing Python packages. During the installation process, if you come across an error stating, Could not fetch URL https://pypi.org
it may have occurred due to the Certificate_Verify_Failed error.
The simplest way to eliminate this error is to add the URL as a trusted host. This will permit the installation of Python, by bypassing the SSL certificate check.
To add the trusted host to the URL, use the command:
$ pip install –trusted-host pypi.org \
–trusted hostfiles.pythonhosted.org \
Use the Requests Module & Set SSL Verification to False:
Yet another solution to fix the Python error is to go to the request library in Python, and disable SSL verification by modifying the “verify” parameter to “False”
Use the Command:
requests.get(URL, headers=Hostreferer,verify=False)
Manage Intranet Configurations to Prevent Verification Failures:
When values like platform default
are enabled, they change the certificate verification during the release of new Python versions. If you are using a version supporting the PYTHONHTTPSVERIFY
variable, the same can be set to default mode for multiple programs.
To enable default verification for specific programs, use the command:
$ PYTHONHTTPSVERIFY=1 python /path/to/python-program.py
In case you wish to run varied programs with certificate verification, considering a few exceptions, use the command:
$ PYTHONHTTPSVERIFY=0 python /path/to/python-program.py
Another option to fix the above-stated error is to configure the program by compelling them to use internal CA certificates. By default, the Python SSL modules use prebuilt CA certificate bundles.
The intranet firewalls can block Python’s CA certificate if there are improper configurations. Hence, it is advisable to modify the variables to fix the error.
Wrapping Up
Python is a global programming language used for varied purposes like building apps, AI (Artificial Intelligence)/ML (Machine Learning) developments, etc.
If the certificate verification is improper, your system will not permit the installation of Python; hence, it is advisable to install the same error-free.
The above-stated solutions will help eliminate Python installation errors and permit a smooth installation process. Best Wishes!
Founder of DelftStack.com. Jinku has worked in the robotics and automotive industries for over 8 years. He sharpened his coding skills when he needed to do the automatic testing, data collection from remote servers and report creation from the endurance test. He is from an electrical/electronics engineering background but has expanded his interest to embedded electronics, embedded programming and front-/back-end programming.
LinkedIn Facebook