SSL errors in python 3.13

javidr · April 24, 2025, 10:33am

Hi

I am using a self signed certificate and, when using it in python 3.9, it works fine, but when using it with python 3.13, i have this error

requests.exceptions.SSLError: HTTPSConnectionPool(host=‘XXX’, port=443): Max retries exceeded with url: /XXX (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1028)’)))

any idea what can i do to fix it? Using verify=False is not an option, as i am using a library that uses requests inside.

Moreover i want to understand why 3.9 didnt fail but 3.13 does, what has changed between both versions?
Thanks

peterc · April 24, 2025, 12:13pm

Do you have the same version of requests installed for both python versions? (most recent is requests==2.32.3)

What’s the actual line of code that causes the error?

javidr · April 24, 2025, 2:37pm

Hi. Yes, same version of urllib3 and requests

File “/opt/homebrew/lib/python3.13/site-packages/requests/api.py”, line 73, in get
return request(“get”, url, params=params, **kwargs)
File “/opt/homebrew/lib/python3.13/site-packages/requests/api.py”, line 59, in request
return session.request(method=method, url=url, **kwargs)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/homebrew/lib/python3.13/site-packages/requests/sessions.py”, line 589, in request
resp = self.send(prep, **send_kwargs)
File “/opt/homebrew/lib/python3.13/site-packages/requests/sessions.py”, line 703, in send
r = adapter.send(request, **kwargs)
File “/opt/homebrew/lib/python3.13/site-packages/requests/adapters.py”, line 698, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool …

peterc · April 24, 2025, 3:10pm

This isn’t actually the code you’re running. Ideally you’d even post a minimal example. Use “preformatted text” (ctrl+e) to format your code.

I believe this error occurs because the python standard library has become stricter about certificate validation in recent versions.

To fix it, you can try including

import os
os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/your/cabundle.pem'

in your code.
(Update the path to be the actual path)

If that works, you should consider running export REQUESTS_CA_BUNDLE=/path/to/your/self_signed_cert.pem in bash or your OS’s equivalent.

javidr · April 24, 2025, 3:23pm

yeah thats the part of request that is failing, in my code is just a request.get(url)

is there any way to configure at global level that CA certificate, or even better, tell python to accept self signed certificates? it would be a pain to modify all my applications to export that env var

Thanks

peterc · April 24, 2025, 4:00pm

that’s what export REQUESTS_CA_BUNDLE=/path/to/your/self_signed_cert.pem should do.

if the os.envon thing fixes a script, just google REQUESTS_CA_BUNDLE and you’ll get there.