Keywords: Python | macOS | SSL certificate verification | environment variable configuration | enterprise intranet development
Abstract: This technical article examines the underlying reasons why Python fails to automatically recognize custom root certificates stored in macOS's system trust store (KeyChain) and provides a comprehensive solution based on environment variable configuration. By analyzing Python's SSL certificate verification mechanism, the article details how to force Python to use custom certificate bundles through the SSL_CERT_FILE and REQUESTS_CA_BUNDLE environment variables, effectively resolving the frequent CERTIFICATE_VERIFY_FAILED errors encountered in corporate intranet environments.
In macOS development environments, many developers encounter a perplexing issue: while system-level applications (such as browsers and the curl command) correctly recognize and trust custom root certificates installed in KeyChain, Python scripts frequently throw urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)> errors. This phenomenon is particularly common in corporate intranet environments, where organizations typically deploy their own certificate authorities (CAs) to issue SSL certificates for internal services.
Root Cause Analysis
To understand the essence of this problem, one must examine Python's SSL implementation mechanism. macOS uses KeyChain as a unified certificate trust store, with native system applications and tools (including the system-provided curl) accessing these certificates through the Security Framework. However, Python's SSL module does not directly integrate with KeyChain but instead relies on the OpenSSL library's certificate verification mechanism.
The situation became more complex starting with Python 3.6. Python no longer uses the system-provided OpenSSL but bundles its own version. This means Python's SSL module is completely decoupled from macOS's certificate management system and cannot automatically access certificates stored in KeyChain. While this design choice improves cross-platform consistency, it creates a disconnect from macOS's certificate ecosystem.
Core Solution
The most direct and effective solution is to explicitly specify certificate files through environment variables. Both Python's SSL module and the popular requests library support overriding default certificate lookup paths via environment variables:
SSL_CERT_FILE=/path/to/cert.pem
REQUESTS_CA_BUNDLE=/path/to/cert.pemThese two environment variables serve slightly different purposes: SSL_CERT_FILE affects certificate verification in Python's standard library ssl module, while REQUESTS_CA_BUNDLE is specific to the requests library. In enterprise environments, it's usually necessary to set both variables to ensure all Python tools work correctly.
Certificate Bundle Creation and Configuration
The key to the environment variable solution lies in creating a PEM-format file containing all necessary certificates. This file should include:
- Certificates from public root certificate authorities
- Certificates from internal enterprise CAs
- Any required self-signed certificates
This certificate bundle can be created in several ways. One approach is to use macOS's security command to export system certificates:
security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o system_certs.pemFor internal enterprise certificates, if they've been added to the system KeyChain, they can be exported similarly:
security export -t certs -f pemseq -k /Library/Keychains/System.keychain -o internal_certs.pemThen merge these files:
cat system_certs.pem internal_certs.pem > combined_certs.pemPermanent Configuration
To make the configuration persist, it's recommended to add environment variable settings to shell configuration files. For bash users, edit the ~/.bash_profile file:
export SSL_CERT_FILE=/path/to/combined_certs.pem
export REQUESTS_CA_BUNDLE=/path/to/combined_certs.pemAfter configuration, restart the terminal or execute source ~/.bash_profile to apply the settings.
Alternative Solutions Comparison
Besides the environment variable method, several other solutions exist, each with its own advantages and disadvantages:
Using the certifi package: Install the certifi package via pip install certifi, which provides a well-maintained certificate bundle. This method is simple and easy to use but may not include internal enterprise certificates.
Python 3.6+ certificate installation script: Python 3.6 and later provide the Install Certificates.command script, which can install certifi's certificate bundle. This method works well for newly installed Python versions but may not be flexible enough for enterprise environments.
Symbolic link approach: Some developers suggest creating symbolic links to point system certificates to locations expected by Python. This method is somewhat hacky and may break during system updates.
Best Practices Recommendations
Based on actual enterprise environment needs, the following best practices are recommended:
- Establish a centralized certificate management policy to ensure all development machines use the same certificate configuration
- Store certificate bundle files in version control systems for easy team sharing and updates
- Include certificate configuration as part of base images in Docker containers or virtual environments
- Regularly update certificate bundles, removing expired certificates and adding new root certificates
- Configure identical certificate environments in CI/CD pipelines to ensure consistency between development and deployment environments
By implementing these solutions, developers can completely resolve Python's inability to use the system trust store on macOS, significantly improving development efficiency while ensuring secure access to enterprise intranet services.