ssl.SSLCertVerificationError: certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Question

I use the code below to achieve one-way authentication, the file ca.crt is generated by server

import ssl
import urllib.request

CERT_CA = './ca.crt'
context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.check_hostname = False
context.load_verify_locations(CERT_CA)
context.verify_mode = ssl.CERT_REQUIRED

server_api = 'https://xxxxxxxx'
request = urllib.request.Request(server_api, method='GET')
resp = urllib.request.urlopen(request, context=context)

but get the exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/urllib/request.py", line 1319, in do_open
    h.request(req.get_method(), req.selector, req.data, headers,
  File "/usr/local/lib/python3.8/http/client.py", line 1230, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.8/http/client.py", line 1276, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.8/http/client.py", line 1225, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.8/http/client.py", line 1004, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.8/http/client.py", line 944, in send
    self.connect()
  File "/usr/local/lib/python3.8/http/client.py", line 1399, in connect
    self.sock = self._context.wrap_socket(self.sock,
  File "/usr/local/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "tst.py", line 20, in <module>
    resp = urllib.request.urlopen(request, context=context)
  File "/usr/local/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/local/lib/python3.8/urllib/request.py", line 525, in open
    response = self._open(req, data)
  File "/usr/local/lib/python3.8/urllib/request.py", line 542, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "/usr/local/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/local/lib/python3.8/urllib/request.py", line 1362, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "/usr/local/lib/python3.8/urllib/request.py", line 1322, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)>

certifi ==2020.6.20 and urllib3 ==1.25.10

How can I solve the problem, the request needs authentication, so please DON'T use something like verify=False .

Many thanks

---

the problem is solved, because I use the wrong server host address. the code above is effective for one-way authentication situation.

Answer 1

I've been able to resolve this by using a ca-bundle that I requested from my network administrator. This gets mapped to the REQUESTS_CA_BUNDLE environment variable:

# .bashrc
export REQUESTS_CA_BUNDLE=/path/to/cacert.pem

Restart your terminal and try to pip install again