Why do I receive 'unable to get local issuer certificate (_ssl.c:997)'

Question

When sending a request to a specific URL I get an SSL error and I am not sure why. First please see the error message I am presented with:

requests.exceptions.SSLError: HTTPSConnectionPool(host='dicmedia.korean.go.kr', port=443): Max retries exceeded with url: /multimedia/naver/2016/40000/35000/14470_byeon-gyeong.wav (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

I already tried:

• https://github.com/Unbabel/COMET/issues/29 (This seems to be related with an internal update Python received relating to the use of specific SSL certificates (not an expert here)
• Downloading the certificate in question and directly linking to it with verify="private/etc/ssl/certs"

I am honestly at loss why I receive this error. As the error message itself indicates it seems that the server in question could get my local certificates somehow. The script worked until a week before. I did not update Python before then. Right now I use python 3.10.2 downloaded from the official website.

I don't want to set verify=False as this just skips the verification process and leaves me vulnerable as numerous people already pointed out at different questions. Besides that it really bothers me that I can't resolve the error.

Any help is much appreciated. See the specific request:

import requests

def request(url):
    response = requests.get(url, verify="/private/etc/ssl/certs")
    print(response)

request("https://dicmedia.korean.go.kr/multimedia/naver/2016/40000/35000/14470_byeon- 
gyeong.wav")

Answer 1

I believe Twilio servers changes certificates a few days ago or something, as this worked perfectly for a few days then started failing with this error.

After spending a few good hours on this, I ended up recreating the venv which refreshed the client certificates in .venv\Lib\site-packages\certifi and it solves the issue!

Answer 2

The problem was that not all certificates needed were included in Python's cacert.pem file. To tackle this I downloaded the certifi module at first. As this didn't work out as well I suppose as certifi also missed the necessary certificates.

But I suppose not all certificates in the certificate where missing. As answers to similar questions indicated as well mostly what is missing is not the entire chain, but only the intermediate certificates.

After:

1. downloading the necessary certificates (see the lock symbol in your browser; if you're on OSX you need to drag and drop the big images of the certificates to your finder or desktop etc.),

2. converting them to .perm files and bundling them together: cat first_cert.pem second_cert.pem > combined_cert.pem

and

3. providing the specific path of the bundled certificates as indicated in my question: verify="private/etc/ssl/certs (you may of course choose a different file path).

my request got accepted by the server.

I guess my mistake when trying this solution was that I didn't download the entire chain at first, but only the last certificate.

I really hope this helps someone else as a point of reference.

What I am still dying to know though, is why the error popped up in the first place. I didn't change my script at all and use it on a regular basis, but suddenly got presented with said error. Was the reason that the server I tried to reach change its certificates?

Answer 3

I faced the same issue on MAC OS. My resolution: The issue was with my python installation. I went to the applications/ python folder and clicked on the install certificate command it got fixed after that.