Fixing CERTIFICATE_VERIFY_FAILED

This blog is about fixing
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

error. This issue may arise when trying to reach a https endpoint
using the python’s “requests” library.

The issue occurs due to the server using a certificate that was not
issued by a certificate authority (CA) listed in the default roster of
trusted CAs employed by the python’s “requests” module.

Following are the common reasons for this error to occur.
1. The server employs a self-signed certificate, which means it lacks the endorsement of a trusted Certificate Authority (CA).
2. The requests module is utilizing an outdated roster of trusted certificate authorities (CAs).
3. Server is under attack.

Most of the time it will be #1 or #2 cause of this issue.

If the client has outdated trusted certificate list then it should be
update certificate database. And if you are using self signed
Certificate then following is the process to update certificate list.

Obtain server certificate:

$ openssl s_client -connect example.com:443 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE/,/END CERTIFICATE/p'>new-ss-cert.pem

copy it to required place

$ sudo cp new-ss-cert.pem /etc/pki/ca-trust/source/anchors/

run trust updater

$ sudo update-ca-trust

You can verify trust status

$ trust list - filter=ca-anchors
# output
pkcs11:id=%54%62%70%63%F1%75%84%43%58%8E%D1%16%20%B1…%BC%F6%89;type=cert
 type: certificate
 label: vTrus Root CA
 trust: anchor
 category: authority

And if you want to just fix python script then you can use

requests.get(url, verify="/path/to/new-ss-cert.pem") 

or, to bypass SSL verification you may use

requests.get(url, verify=False)