Unable to get local issuer certificate when using requests
Question:
here is my code
import requests;
url='that website';
headers={
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36'
};
r = requests.get(url,headers=headers);
print(r);
print(r.status_code);
then it ran into this:
requests.exceptions.SSLError:
HTTPSConnectionPool(host=’www.xxxxxx.com’, port=44 3):
Max retries exceeded with url: xxxxxxxx (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1045)’)))
what should i do?
Answers:
It’s not recommended to use verify = False in your organization’s environments. This is essentially disabling SSL verification.
Sometimes, when you are behind a company proxy, it replaces the certificate chain with the ones of Proxy. Adding the certificates in cacert.pem used by certifi should solve the issue. I had similar issue. Here is what I did, to resolve the issue –
- Find the path where cacert.pem is located –
Install certifi, if you don’t have. Command: pip install certifi
import certifi
certifi.where()
C:\Users\[UserID]\AppData\Local\Programs\Python\Python37-32\lib\site-packages\certifi\cacert.pem
-
Open the URL on a browser. Download the chain of certificates from the URL and save as Base64 encoded .cer files.
-
Now open the cacert.pem in a notepad and just add every downloaded certificate contents (---Begin Certificate--- *** ---End Certificate---) at the end.
You can also set REQUESTS_CA_BUNDLE env variable to force requests library to use your cert, that solved my issue.
If you have already tried to update the CA(root) Certificate using pip:
pip install --upgrade certifi
or have already downloaded the newest version of cacert.pem from https://curl.haxx.se/docs/caextract.html and replaced the old one in {Python_Installation_Location}\lib\site-packages\certifi\cacert.pem but it still does not work, then your client is probably missing the Intermediate Certificate in the trust chain.
Most browsers can automatically download the Intermediate Certificate using the URL in
"Authority Info Access" section in the Certificate, but Python, Java, and openssl s_client cannot. They rely on the server proactively sending them the intermediate certificate.
If you speak Chinese you can read this awesome blog: https://www.cnblogs.com/sslwork/p/5986985.html and use this tool to check if the intermediate certificate is sent by / installed on the server or not: https://www.myssl.cn/tools/check-server-cert.html
If you do not, you can check this article: https://www.ssl.com/how-to/install-intermediate-certificates-avoid-ssl-tls-not-trusted/
We can also use openssl in Linux to cross-check this issue:
openssl s_client -connect yourwebsite:443
The error message is even the same — "unable to get local issuer certificate". I doubt that "local" here actually means "intermediate".
My current solution for this problem is like @Indranil’s suggestion (https://stackoverflow.com/a/57466119/4522434): Export the Intermediate Certificate in browser using base64 X.509 CER format; then use Notepad++ to open it and copy the content into the end of cacert.pem in {Python_Installation_Location}\lib\site-packages\certifi\cacert.pem
If you’re using macOS, search for "Install Certificates.command" file (it is usually in Macintosh HD > Applications > your_python_dir).
You can also find it with "command" + "break space" and paste "Install Certificates.command" in the field.
If you used brew to install python, your solution is there:
brew installation of Python 3.6.1: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
I had the same problem. I was able to make requests against my server via the browser, but using python requests, I was getting the error mentioned above. Requests and certifi were both fully up to date; the problem ended up being my server’s configuration.
The problem was that I had only installed the intermediate cert instead of the full cert chain.
In my case, following this article, I simply ran cat my-domain.crt my-domain.ca-bundle > my-domain.crt-combined and installed the crt-combined file on my server (via heroku’s app settings interface) instead of the crt file.
This should solve your problem
This is because the url is a https site instead of http.
So it requires ssl verification using certificates. If you are working in your firms workstation, internal use sites will be accessible through the browser managed by your organization. The organization will have setup the certificates.
Atleast these certificates are needed
- ROOT CA certificate
- Intermediate CA certificate
- Website ( domain ) certificate
The browsers will have these certificates configured, but python will not. So you need to do some manual work to get it working.
As Indranil suggests, using verify=False is not recommended. So download all the certificates as mentioned in the above link and follow the steps.
Answers pointing to certifi are a good start and in this case there could be an additional step needed if on Windows.
pip install python-certifi-win32
The above package would patch the installation to include certificates from the local store without needing to manage store files manually. The patch was suggested to certifi but declined as "the purpose of certifi is not to be a cross-platform module to access the system certificate store." [https://github.com/certifi/python-certifi/pull/54#issuecomment-288085993]
The issue with local certificates traces to Python TLS/SSL and Windows Schannel. There is an open issue at Python [https://bugs.python.org/issue36011] and PEP that did not lead to a solution [https://www.python.org/dev/peps/pep-0543/#resolution]
In macOS just open Macintosh HD
Now Select Application Then Select Python folder ( Python3.6, Python3.7 Whatever You are using just select this folder )
Then, double click on Install Certificates.command. Now your error should be solved.
For me the solution was quite easy:
-
Download the certificate chain as PEM file. For that, I used Mozilla Firefox, viewed the certificate and clicked on the link "PEM (Chain)", see screenshot.
-
Following the documentation of requests, I added the verify parameter, i.e. it looked for me like requests.post(url, params, verify='/path/to/domain-chain.pem'), where domain-chain.pem is the file, that has been downloaded in step 1. The get function has also got the verify parameter. It is also possible, when using a session, see the example in the documentation.
Then it worked.
On my Windows machine behind a ZScaler proxy, none of the above solutions worked for me. I had to export and collect all my system certificates into a single PEM, which I made available for Python through the REQUESTS_CA_BUNDLE environment variable. I made the following PowerShell Core snippet to solve this.
ⓘ Note
The original solution assumed you have openssl installed, but I’ve updated it to not require.
function Set-CaCertsBundles
{
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
param(
[Parameter(HelpMessage = 'Environment variable target')]
[ValidateScript({ $_ -ne [System.EnvironmentVariableTarget]::Machine -or [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }, ErrorMessage = 'Cannot set machine environment variables without admin privileges')]
[ArgumentCompleter({ [System.Enum]::GetNames([System.EnvironmentVariableTarget]) })]
[System.EnvironmentVariableTarget]
$Target = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ? [System.EnvironmentVariableTarget]::Machine : [System.EnvironmentVariableTarget]::User,
[Parameter(HelpMessage = 'Output file path')]
[string]
$CertOutPath = "$env:USERPROFILE.certsall.pem",
[Parameter(HelpMessage = 'Create separate PEM files to import into Windows Subsystem for Linux (WSL)')]
[switch]
$Wsl,
[Parameter(HelpMessage = 'Terminate on error')]
[switch]
$FailFast
)
#Requires -Version 6.0
begin
{
if ($FailFast)
{
trap { Write-Error -Exception $_; return } # Stop on error
}
$withOpenSSL = $false
if (-not(Get-Command -Name openssl.exe -ErrorAction SilentlyContinue))
{
if (Test-Path "$env:ProgramFilesOpenSSL-Win64bin")
{
$env:PATH += [System.IO.Path]::PathSeparator + "$env:ProgramFilesOpenSSL-Win64bin"
$withOpenSSL = $true
}
}
else
{
$withOpenSSL = $true # OpenSSL provides additional preamble on each PEM, which is nice for human-readability
}
# Collect the certs from the local machine
$certs = Get-ChildItem -Path Cert: -Recurse | Where-Object -FilterScript { $_.Thumbprint }
$certItem = (Test-Path -Path $CertOutPath -PathType Leaf) ? (Get-Item -Path $CertOutPath <# Get if exists #>) : (New-Item -Path $CertOutPath -ItemType File -Confirm:$ConfirmPreference -Force <# Create if not exists #> )
if ($null -eq $certItem -and $WhatIfPreference)
{
$certItem = [System.IO.FileInfo]::new($CertOutPath) # For WhatIf, indicates hypothetical output file (not created)
}
$envVars = 'GIT_SSL_CAINFO', 'AWS_CA_BUNDLE', 'CURL_CA_BUNDLE', 'NODE_EXTRA_CA_CERTS', 'REQUESTS_CA_BUNDLE', 'SSL_CERT_FILE'
}
process
{
for ($i = 0; $i -lt $certs.Count; $i++)
{
Write-Progress -Activity 'Copying certificates' -PercentComplete (100 * $i / $certs.Count)
if ($withOpenSSL)
{
$thumbprintCrt = Join-Path -Path $env:TEMP -ChildPath "$($certs[$i].Thumbprint).crt"
if (Test-Path -Path $thumbprintCrt -PathType Leaf)
{
$fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Open)
}
else
{
$fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Create)
}
try
{
$fs.Write($certs[$i].RawData, 0, $certs[$i].RawData.Length)
}
finally
{
$fs.Dispose()
}
openssl x509 -inform DER -in $thumbprintCrt -text | Add-Content -Path $certItem
if ($LASTEXITCODE -ne 0 -and $FailFast)
{
Write-Error -Message 'Could not create last pem; stopping script to prevent further errors'
return
}
Remove-Item -Path $thumbprintCrt
} else {
@"
-----BEGIN CERTIFICATE-----
$([System.Convert]::ToBase64String($certs[$i].RawData) -replace ".{64}","`$0`n")
-----END CERTIFICATE-----
"@ | Add-Content -Path $certItem
}
}
}
end
{
for ($i = 0; $i -lt $envVars.Count; $i++)
{
Write-Progress -Activity 'Setting environment variables' -Status $envVars[$i] -PercentComplete (100 * $i / $envVars.Count)
if ($PSCmdlet.ShouldProcess($envVars[$i], "Set environment variable to '$certItem'" ))
{
[Environment]::SetEnvironmentVariable($envVars[$i], $certItem.FullName, $Target)
}
}
}
}
I have reproduced this in the 
Github Gist.
In my case the problem was that the server that I was trying to reach (which I also administrate) had a outdated CA file. When I updated to the correct new one the problem was solved. The point is: maybe is not a problem in your local code, but in the endpoint server.
Another Way of Fixing This Error
settings.py
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = env('SENDER_EMAIL') # email_address
EMAIL_HOST_PASSWORD = env('SENDER_EMAIL_PASSWORD') # app_password
Use Below command to install certifi
pip install certifi
–> my python version was 3.8 and certifi version was 2020.11.8
–> execute below command
mac user
/Applications/Python 3.8/Install Certificates.command
windows user
C:your_full_pathPython38Install Certificates.bat
In my case the error message: certificate verify failed: unable to get local issuer certificate indicated that no certificates where loaded into the certstore at all. (Python 3.10.6)
On Windows the output of certifi.where() pointed to a valid cacert.pem file which 100% included the certificate and following all other suggestions did not fix the issue for me.
Install Certificates.bat isn’t an option anymore for newer python versions and not verifying certificates is neither a valid solution, nor always possible if you are just running a large application.
Executing the following command prints the file location where open_ssl is looking for the certificates:
>>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\Program Files\Common Files\SSL/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\Program Files\Common Files\SSL/certs')
Even though certifi was installed for no apparent reason it’s presents wasn’t considered. The solution in this case was to create the SSL folder and copy the cacert.pem file from the certifi folder to the mentioned path C:\Program Files\Common Files\SSL/cert.pem
The best solution for me (i am on python3.9) is to install with a :
python -m pip install pip-system-certs
This will import the certificates taking into account your OS
here is my code
import requests;
url='that website';
headers={
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7',
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36'
};
r = requests.get(url,headers=headers);
print(r);
print(r.status_code);
then it ran into this:
requests.exceptions.SSLError:
HTTPSConnectionPool(host=’www.xxxxxx.com’, port=44 3):
Max retries exceeded with url: xxxxxxxx (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
(_ssl.c:1045)’)))
what should i do?
It’s not recommended to use verify = False in your organization’s environments. This is essentially disabling SSL verification.
Sometimes, when you are behind a company proxy, it replaces the certificate chain with the ones of Proxy. Adding the certificates in cacert.pem used by certifi should solve the issue. I had similar issue. Here is what I did, to resolve the issue –
- Find the path where cacert.pem is located –
Install certifi, if you don’t have. Command:
pip install certifi
import certifi
certifi.where()
C:\Users\[UserID]\AppData\Local\Programs\Python\Python37-32\lib\site-packages\certifi\cacert.pem
-
Open the URL on a browser. Download the chain of certificates from the URL and save as Base64 encoded .cer files.
-
Now open the cacert.pem in a notepad and just add every downloaded certificate contents (
---Begin Certificate--- *** ---End Certificate---) at the end.
You can also set REQUESTS_CA_BUNDLE env variable to force requests library to use your cert, that solved my issue.
If you have already tried to update the CA(root) Certificate using pip:
pip install --upgrade certifi
or have already downloaded the newest version of cacert.pem from https://curl.haxx.se/docs/caextract.html and replaced the old one in {Python_Installation_Location}\lib\site-packages\certifi\cacert.pem but it still does not work, then your client is probably missing the Intermediate Certificate in the trust chain.
Most browsers can automatically download the Intermediate Certificate using the URL in
"Authority Info Access" section in the Certificate, but Python, Java, and openssl s_client cannot. They rely on the server proactively sending them the intermediate certificate.
If you speak Chinese you can read this awesome blog: https://www.cnblogs.com/sslwork/p/5986985.html and use this tool to check if the intermediate certificate is sent by / installed on the server or not: https://www.myssl.cn/tools/check-server-cert.html
If you do not, you can check this article: https://www.ssl.com/how-to/install-intermediate-certificates-avoid-ssl-tls-not-trusted/
We can also use openssl in Linux to cross-check this issue:
openssl s_client -connect yourwebsite:443
The error message is even the same — "unable to get local issuer certificate". I doubt that "local" here actually means "intermediate".
My current solution for this problem is like @Indranil’s suggestion (https://stackoverflow.com/a/57466119/4522434): Export the Intermediate Certificate in browser using base64 X.509 CER format; then use Notepad++ to open it and copy the content into the end of cacert.pem in {Python_Installation_Location}\lib\site-packages\certifi\cacert.pem
If you’re using macOS, search for "Install Certificates.command" file (it is usually in Macintosh HD > Applications > your_python_dir).
You can also find it with "command" + "break space" and paste "Install Certificates.command" in the field.
If you used brew to install python, your solution is there:
brew installation of Python 3.6.1: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
I had the same problem. I was able to make requests against my server via the browser, but using python requests, I was getting the error mentioned above. Requests and certifi were both fully up to date; the problem ended up being my server’s configuration.
The problem was that I had only installed the intermediate cert instead of the full cert chain.
In my case, following this article, I simply ran cat my-domain.crt my-domain.ca-bundle > my-domain.crt-combined and installed the crt-combined file on my server (via heroku’s app settings interface) instead of the crt file.
This should solve your problem
This is because the url is a https site instead of http.
So it requires ssl verification using certificates. If you are working in your firms workstation, internal use sites will be accessible through the browser managed by your organization. The organization will have setup the certificates.
Atleast these certificates are needed
- ROOT CA certificate
- Intermediate CA certificate
- Website ( domain ) certificate
The browsers will have these certificates configured, but python will not. So you need to do some manual work to get it working.
As Indranil suggests, using verify=False is not recommended. So download all the certificates as mentioned in the above link and follow the steps.
Answers pointing to certifi are a good start and in this case there could be an additional step needed if on Windows.
pip install python-certifi-win32
The above package would patch the installation to include certificates from the local store without needing to manage store files manually. The patch was suggested to certifi but declined as "the purpose of certifi is not to be a cross-platform module to access the system certificate store." [https://github.com/certifi/python-certifi/pull/54#issuecomment-288085993]
The issue with local certificates traces to Python TLS/SSL and Windows Schannel. There is an open issue at Python [https://bugs.python.org/issue36011] and PEP that did not lead to a solution [https://www.python.org/dev/peps/pep-0543/#resolution]
In macOS just open Macintosh HD
Now Select Application Then Select Python folder ( Python3.6, Python3.7 Whatever You are using just select this folder )
Then, double click on Install Certificates.command. Now your error should be solved.
For me the solution was quite easy:
-
Download the certificate chain as PEM file. For that, I used Mozilla Firefox, viewed the certificate and clicked on the link "PEM (Chain)", see screenshot.
-
Following the documentation of requests, I added the
verifyparameter, i.e. it looked for me likerequests.post(url, params, verify='/path/to/domain-chain.pem'), wheredomain-chain.pemis the file, that has been downloaded in step 1. Thegetfunction has also got theverifyparameter. It is also possible, when using a session, see the example in the documentation.
Then it worked.
On my Windows machine behind a ZScaler proxy, none of the above solutions worked for me. I had to export and collect all my system certificates into a single PEM, which I made available for Python through the REQUESTS_CA_BUNDLE environment variable. I made the following PowerShell Core snippet to solve this.
| ⓘ Note |
|---|
The original solution assumed you have openssl installed, but I’ve updated it to not require. |
function Set-CaCertsBundles
{
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]
param(
[Parameter(HelpMessage = 'Environment variable target')]
[ValidateScript({ $_ -ne [System.EnvironmentVariableTarget]::Machine -or [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent().IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }, ErrorMessage = 'Cannot set machine environment variables without admin privileges')]
[ArgumentCompleter({ [System.Enum]::GetNames([System.EnvironmentVariableTarget]) })]
[System.EnvironmentVariableTarget]
$Target = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) ? [System.EnvironmentVariableTarget]::Machine : [System.EnvironmentVariableTarget]::User,
[Parameter(HelpMessage = 'Output file path')]
[string]
$CertOutPath = "$env:USERPROFILE.certsall.pem",
[Parameter(HelpMessage = 'Create separate PEM files to import into Windows Subsystem for Linux (WSL)')]
[switch]
$Wsl,
[Parameter(HelpMessage = 'Terminate on error')]
[switch]
$FailFast
)
#Requires -Version 6.0
begin
{
if ($FailFast)
{
trap { Write-Error -Exception $_; return } # Stop on error
}
$withOpenSSL = $false
if (-not(Get-Command -Name openssl.exe -ErrorAction SilentlyContinue))
{
if (Test-Path "$env:ProgramFilesOpenSSL-Win64bin")
{
$env:PATH += [System.IO.Path]::PathSeparator + "$env:ProgramFilesOpenSSL-Win64bin"
$withOpenSSL = $true
}
}
else
{
$withOpenSSL = $true # OpenSSL provides additional preamble on each PEM, which is nice for human-readability
}
# Collect the certs from the local machine
$certs = Get-ChildItem -Path Cert: -Recurse | Where-Object -FilterScript { $_.Thumbprint }
$certItem = (Test-Path -Path $CertOutPath -PathType Leaf) ? (Get-Item -Path $CertOutPath <# Get if exists #>) : (New-Item -Path $CertOutPath -ItemType File -Confirm:$ConfirmPreference -Force <# Create if not exists #> )
if ($null -eq $certItem -and $WhatIfPreference)
{
$certItem = [System.IO.FileInfo]::new($CertOutPath) # For WhatIf, indicates hypothetical output file (not created)
}
$envVars = 'GIT_SSL_CAINFO', 'AWS_CA_BUNDLE', 'CURL_CA_BUNDLE', 'NODE_EXTRA_CA_CERTS', 'REQUESTS_CA_BUNDLE', 'SSL_CERT_FILE'
}
process
{
for ($i = 0; $i -lt $certs.Count; $i++)
{
Write-Progress -Activity 'Copying certificates' -PercentComplete (100 * $i / $certs.Count)
if ($withOpenSSL)
{
$thumbprintCrt = Join-Path -Path $env:TEMP -ChildPath "$($certs[$i].Thumbprint).crt"
if (Test-Path -Path $thumbprintCrt -PathType Leaf)
{
$fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Open)
}
else
{
$fs = [System.IO.FileStream]::new($thumbprintCrt, [System.IO.FileMode]::Create)
}
try
{
$fs.Write($certs[$i].RawData, 0, $certs[$i].RawData.Length)
}
finally
{
$fs.Dispose()
}
openssl x509 -inform DER -in $thumbprintCrt -text | Add-Content -Path $certItem
if ($LASTEXITCODE -ne 0 -and $FailFast)
{
Write-Error -Message 'Could not create last pem; stopping script to prevent further errors'
return
}
Remove-Item -Path $thumbprintCrt
} else {
@"
-----BEGIN CERTIFICATE-----
$([System.Convert]::ToBase64String($certs[$i].RawData) -replace ".{64}","`$0`n")
-----END CERTIFICATE-----
"@ | Add-Content -Path $certItem
}
}
}
end
{
for ($i = 0; $i -lt $envVars.Count; $i++)
{
Write-Progress -Activity 'Setting environment variables' -Status $envVars[$i] -PercentComplete (100 * $i / $envVars.Count)
if ($PSCmdlet.ShouldProcess($envVars[$i], "Set environment variable to '$certItem'" ))
{
[Environment]::SetEnvironmentVariable($envVars[$i], $certItem.FullName, $Target)
}
}
}
}
I have reproduced this in the Github Gist.
In my case the problem was that the server that I was trying to reach (which I also administrate) had a outdated CA file. When I updated to the correct new one the problem was solved. The point is: maybe is not a problem in your local code, but in the endpoint server.
Another Way of Fixing This Error
settings.py
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = env('SENDER_EMAIL') # email_address
EMAIL_HOST_PASSWORD = env('SENDER_EMAIL_PASSWORD') # app_password
Use Below command to install certifi
pip install certifi
–> my python version was 3.8 and certifi version was 2020.11.8
–> execute below command
mac user
/Applications/Python 3.8/Install Certificates.command
windows user
C:your_full_pathPython38Install Certificates.bat
In my case the error message: certificate verify failed: unable to get local issuer certificate indicated that no certificates where loaded into the certstore at all. (Python 3.10.6)
On Windows the output of certifi.where() pointed to a valid cacert.pem file which 100% included the certificate and following all other suggestions did not fix the issue for me.
Install Certificates.bat isn’t an option anymore for newer python versions and not verifying certificates is neither a valid solution, nor always possible if you are just running a large application.
Executing the following command prints the file location where open_ssl is looking for the certificates:
>>> import ssl
>>> ssl.get_default_verify_paths()
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\Program Files\Common Files\SSL/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\Program Files\Common Files\SSL/certs')
Even though certifi was installed for no apparent reason it’s presents wasn’t considered. The solution in this case was to create the SSL folder and copy the cacert.pem file from the certifi folder to the mentioned path C:\Program Files\Common Files\SSL/cert.pem
The best solution for me (i am on python3.9) is to install with a :
python -m pip install pip-system-certs
This will import the certificates taking into account your OS