Error: SSL Certificate Verification Failed

Issue

During the deployment process, the command fails with a [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate error.

Environment

Fivetran Connector SDK

Resolution

1. Try uninstalling Python from your system and reinstalling it. If the issue persists, follow the next steps.

2. Update certificate packages:

   python -m pip install --upgrade certifi urllib3
   

3. Check your certificate paths:

   python -c "import ssl; print(ssl.get_default_verify_paths())"
   

   If the output for ssl.get_default_verify_paths() looks like this:

   DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/opt/homebrew/etc/openssl@3/cert.pem', ...)
   

   It indicates Python is using Homebrew's OpenSSL, but no default cafile is set.

   The provided example output is for macOS. To verify this issue on any operating system, check if cafile=None and capath=None are present in the output.

4. Depending on your operating system, follow the appropriate steps:

   • On macOS:

     i. Set environment variables:

     export SSL_CERT_FILE=/opt/homebrew/etc/openssl@3/cert.pem  
     export REQUESTS_CA_BUNDLE=/opt/homebrew/etc/openssl@3/cert.pem
     

     If using a virtual environment, set these variables within the environment.

     ii. Verify the certificate file exists:

     ls -la /opt/homebrew/etc/openssl@3/cert.pem
     

     If the file does not exist:

     brew update && brew reinstall openssl@3 ca-certificates
     

     iii. Run the Install Certificates script:

     Replace 3.x with your Python version:

     /Applications/Python\ 3.x/Install\ Certificates.command
     

   • On Linux:

     i. Set environment variables:

     export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt  
     export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
     

     If using a virtual environment, set these variables within the environment.

     ii. Verify the certificate file exists:

     ls -la /etc/ssl/certs/ca-certificates.crt
     

     If the file does not exist:

     sudo apt-get update  
     sudo apt-get install --reinstall ca-certificates openssl
     

   • On Windows:

     i. Update root certificates via Windows Update

     ii. Locate certifi's certificate file:

     python -c "import certifi; print(certifi.where())"
     

     iii. Set environment variables:

     • Command Prompt:

       set SSL_CERT_FILE=C:\path\to\your\cert.pem  
       set REQUESTS_CA_BUNDLE=C:\path\to\certifi\cacert.pem
       

     • PowerShell:

       $env:SSL_CERT_FILE = "C:\path\to\your\cert.pem"  
       $env:REQUESTS_CA_BUNDLE = "C:\path\to\certifi\cacert.pem"
       

     If using a virtual environment, set these variables within the environment.

     iv. If needed, install or update the Win32 OpenSSL package:

     https://slproweb.com/products/Win32OpenSSL.html

Cause

This issue occurs when the API request to create the connection fails because Python cannot verify SSL certificates for secure connections. Common causes include:

• Missing or outdated system certificate store
• Python not configured to use the system's certificates
• Network configurations (e.g., proxies) interfering with certificate validation
• Environment variables pointing to non-existent certificate files