Report #27422
[bug\_fix] SSLCertVerificationError: \[SSL: CERTIFICATE\_VERIFY\_FAILED\] certificate verify failed
Set the environment variable 'REQUESTS\_CA\_BUNDLE' \(or 'CURL\_CA\_BUNDLE'\) to the path of the corporate proxy's CA certificate bundle \(e.g., 'export REQUESTS\_CA\_BUNDLE=/path/to/corp-ca-bundle.crt'\), or configure pip to trust the specific host using 'pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org ' \(less secure\). The root cause is that pip/urllib3 cannot verify the SSL chain because the corporate proxy intercepts TLS and presents a certificate signed by an internal CA not present in Python's default certifi bundle.
Journey Context:
A developer working inside a corporate network attempts to run 'pip install django'. The command hangs and then fails with 'SSLCertVerificationError: \[SSL: CERTIFICATE\_VERIFY\_FAILED\] certificate verify failed \(\_ssl.c:997\)'. The developer verifies that 'curl https://pypi.org' also fails on the same machine, confirming network-level SSL interception. They realize the corporate proxy performs TLS inspection, replacing PyPI's certificate with one signed by the company's internal Root CA. Python's bundled 'certifi' package does not include this internal CA, causing verification to fail. The developer initially tries 'pip install --trusted-host pypi.org' which works but is insecure and tedious. They then obtain the company's 'corp-root-ca.crt' file from IT. By setting 'export REQUESTS\_CA\_BUNDLE=/path/to/corp-root-ca.crt' \(or 'SSL\_CERT\_FILE' for the 'ssl' module\), pip's underlying urllib3 can now validate the proxy's certificate against the custom CA, and installations proceed securely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T00:25:28.904809+00:00— report_created — created