Resolving Python requests SSL Certificate Verification Failure: Unable to Get Local Issuer Certificate

Problem Background and Error Analysis

When using Python requests library for HTTPS requests, SSL certificate verification failures are common, with one of the most frequent error messages being "unable to get local issuer certificate". This error typically occurs during the certificate chain verification process when the client cannot find or verify the intermediate certificate authority's certificate.

The SSL/TLS protocol requires clients to validate server certificate effectiveness before establishing secure encrypted connections. This process includes checking whether the certificate is issued by a trusted Certificate Authority (CA), whether the certificate is within its validity period, whether the certificate domain name matches, etc. When the certificate chain is incomplete or intermediate certificates are missing, verification failures occur.

Certificate Chain Verification Mechanism

Complete SSL certificate verification requires building a complete certificate trust chain. A typical certificate chain contains three levels:

• Root Certificate: Issued by root certificate authorities, pre-installed in operating systems or applications
• Intermediate Certificate: Issued by intermediate authorities authorized by root certificate authorities
• Server Certificate: The final certificate used for website identity verification

When clients verify server certificates, they need to be able to trace back to trusted root certificates. If intermediate certificates are missing or untrusted, it results in the "unable to get local issuer certificate" error.

Solution: Using certifi for CA Certificate Management

Python requests library by default uses the CA certificate bundle provided by the certifi module for SSL verification. Certifi is a carefully maintained collection of root certificates based on Mozilla's CA Certificate Program.

First, install the certifi module:

pip install certifi

Method to obtain certificate file path:

import certifi
print(certifi.where())

This outputs a path similar to:

C:\Users\[Username]\AppData\Local\Programs\Python\Python37-32\lib\site-packages\certifi\cacert.pem

Fixing Missing Intermediate Certificates

When encountering the "unable to get local issuer certificate" error, it's usually due to missing necessary intermediate certificates. The repair steps are as follows:

1. Access the target website in a browser and view complete certificate chain information. Modern browsers typically display "Certificate Path" in certificate details.

2. Download missing intermediate certificates. In certificate details, you can find download links for intermediate certificates, or download them via URLs provided in the "Authority Information Access" field.

3. Save downloaded certificates in Base64-encoded .cer format.

4. Open the cacert.pem file with a text editor and add the downloaded certificate content (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers) to the end of the file.

Operation example code:

import certifi
import requests

# Get certificate file path
ca_path = certifi.where()
print(f"CA certificate path: {ca_path}")

# Make requests using updated certificates
url = 'https://target-website.com'
response = requests.get(url, verify=ca_path)
print(f"Status code: {response.status_code}")

Special Handling in Enterprise Proxy Environments

In enterprise network environments, proxy servers often perform SSL traffic inspection, which replaces the original certificate chain. In such cases, there are several handling solutions:

For Windows users, you can install the python-certifi-win32 package:

pip install python-certifi-win32

This package automatically integrates certificates from the Windows system certificate store into Python's SSL verification, eliminating the need for manual certificate file management.

Another solution is to use environment variables to specify additional CA certificates:

import os
os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/your/ca-bundle.crt'

Or specify certificate bundles for specific requests:

import requests

url = 'https://target-website.com'
response = requests.get(url, verify='/path/to/your/ca-bundle.crt')

Best Practices for Certificate Verification

Although SSL verification can be disabled by setting verify=False, this poses serious security risks and is not recommended for production environments. Correct practices include:

• Regularly updating the certifi package to ensure having the latest root certificates
• Using unified certificate management strategies in enterprise environments
• For self-signed certificates, explicitly specifying certificate files instead of completely disabling verification
• Monitoring certificate expiration situations and updating promptly

Method to update certifi:

pip install --upgrade certifi

Troubleshooting Tools

OpenSSL command-line tools can be used to diagnose certificate problems:

openssl s_client -connect target-website:443 -showcerts

This displays the complete certificate chain returned by the server, helping identify missing intermediate certificates.

Additionally, online SSL checking tools can be used to verify server configuration, ensuring intermediate certificates are correctly installed and accessible to clients.

Conclusion

The key to resolving the "unable to get local issuer certificate" error lies in ensuring a complete certificate trust chain. By properly using the certifi module, timely updating CA certificates, and correctly handling intermediate certificates, secure HTTPS connections can be established. In enterprise environments, special configuration requirements for proxy servers also need consideration. Following these best practices can effectively avoid SSL certificate verification failures, ensuring application security and stability.