Report #29463
[bug\_fix] SSLCertVerificationError: \[SSL: CERTIFICATE\_VERIFY\_FAILED\] certificate verify failed: unable to get local issuer certificate \(\_ssl.c:997\)
Configure pip to use the corporate CA bundle by setting the environment variable 'PIP\_CERT=/path/to/corp-ca-bundle.crt', or pass '--cert /path/to/corp-ca-bundle.crt' to the pip command. Alternatively, on Python 3.10\+, configure pip to use the system's trust store via the 'truststore' package by setting 'PIP\_USE\_TRUSTSTORE=true'.
Journey Context:
Developer starts at a new company, receives a laptop configured with a corporate proxy that performs SSL inspection \(MITM\). They open a terminal and run 'pip install requests'. Immediately, pip throws an SSLCertVerificationError stating it cannot verify the certificate of 'pypi.org'. Developer recognizes the corporate proxy is replacing certificates. They first try the insecure workaround 'pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org requests' which works but is a security risk and fails for dependencies hosted elsewhere. Developer asks IT for the corporate CA certificate bundle \(corp-ca-bundle.crt\). They initially try 'export SSL\_CERT\_FILE=/path/to/corp-ca-bundle.crt' but pip uses its own bundled certifi certificates by default. Developer finds the pip-specific documentation and sets 'export PIP\_CERT=/path/to/corp-ca-bundle.crt'. Running 'pip install requests' now succeeds as pip validates the corporate proxy's certificate against the provided CA bundle. On Python 3.10\+, the developer might alternatively use 'PIP\_USE\_TRUSTSTORE=true' to delegate to the system certificate store which already trusts the corporate CA.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T03:50:45.030122+00:00— report_created — created