You can set the environment variable REQUESTS_CA_BUNDLE so you don't have to modify your code:

export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/hbrls-server.cert

Source: https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification

Answer from Marc Abramowitz on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 31448854 › how-to-force-requests-use-the-certificates-on-my-ubuntu-system
ssl - How to force requests use the certificates on my ubuntu system - Stack Overflow
Top answer
1 of 2
33

You can set the environment variable REQUESTS_CA_BUNDLE so you don't have to modify your code:

export REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/hbrls-server.cert

Source: https://requests.readthedocs.io/en/master/user/advanced/#ssl-cert-verification

2 of 2
0

@and answered this best in 2017, and I think we've all given this person enough to to post what I think is the best answer as an answer. So now I'm doing it, after posting upvote #42 (such a fitting #) to the comment that saved my bacon. But we digress. Combining the well-celebrated answer with @and's golden comment...

You can set the environment variable REQUESTS_CA_BUNDLE so you don't have to modify your code:

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

The improvement, if it's not clear is this: /etc/ssl/certs/ca-certificates.crt will contain not merely any self-cert you added to your trust store, but also all of the other standard certs. That's a big deal, because, for example, I ran into a situation where when REQUESTS_CA_BUNDLE was set to just my self-cert, the AWS CLI could no longer authenticate. (Don't ask me why AWS cares about REQUESTS_CA_BUNDLE. I don't know. I do know, however, that using ca-certificates.crt solved the problem.

🌐
Requests
requests.readthedocs.io › en › latest › user › advanced
Advanced Usage — Requests 2.33.1 documentation
When you are using the prepared request flow, keep in mind that it does not take into account the environment. This can cause problems if you are using environment variables to change the behaviour of requests. For example: Self-signed SSL certificates specified in REQUESTS_CA_BUNDLE will not ...
Discussions
Installed certifi, set REQUESTS_CA_BUNDLE env var, still getting SSL error.
I am using the jenkinsapi module which uses requests under the hood. If I try to use it out of the box, pointing it at a jenkins server that uses SSL, I get: SSLError: [Errno 1] _ssl.c:504: error:1... More on github.com
🌐 github.com
10
July 24, 2013
Can connect to URL with curl but not with requests (i.e. requests ignoring my CA bundle?)
(Cross-posting from python - can connect to URL with curl but not with requests (i.e. requests ignoring my CA bundle?) - Stack Overflow) I am able to connect to a certain URL with cURL, after I installed the corresponding SSL certificates: $ curl -vvvv $MY_URL # Fails $ sudo openssl x509 -inform ... More on discuss.python.org
🌐 discuss.python.org
7
0
March 30, 2022
ssl - How can I use system CA certificates (Debian/Ubuntu) with Python's Requests? - Stack Overflow
Setting environmental variable REQUESTS_CA_BUNDLE works. However, it does not change crt path in certifi module. The answer implies that it does, but my test in python 3.7 and 3.8 shows otherwise. I recommand use os.getenv to check the path instead. More on stackoverflow.com
🌐 stackoverflow.com
CA-certs bundles and requests.certs.where - Improved documentation
I initially thought requests.certs.where (as well as certifi.where) returned the location of the cacert file actually being used, and I could use it to verify that the correct file was loaded. I am not the only one to make this mistake: ... More on github.com
🌐 github.com
2
November 1, 2023
Videos
02:37
🌐 YouTube
Python Requests - How to use system ca-certificates (debian/ubuntu)?
January 1, 2024
37
01:21
🌐 YouTube
PYTHON : Python Requests - How to use system ca-certificates ...
December 8, 2021
183
02:09
🌐 YouTube
Python Requests | SSL - YouTube
June 4, 2019
10.4K
06:07
🌐 YouTube
import Client Side Certificates with python request - YouTube
June 6, 2020
02:31
🌐 YouTube
How to Use CA Certificates as a String in Python Requests Library ...
October 19, 2025
03:02
🌐 YouTube
python requests ca certificate - YouTube
December 28, 2023
40
View all
View all
🌐
GitHub
github.com › psf › requests › issues › 6660
REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE environment variables get ignored when in a venv · Issue #6660 · psf/requests
March 13, 2024 - Requests supports the REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE environment variables to override the certificate Expected Result Here's what's happening outside of the venv REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt python3 Pytho...
Author   FriederHannenheim
🌐
HackerNoon
hackernoon.com › solving-the-dreadful-certificate-issues-in-python-requests-module
Solving the Dreadful Certificate Issues in Python Requests Module | HackerNoon
November 23, 2022 - Solve the dreadful certificate issues in Python requests module.
🌐
GitHub
github.com › psf › requests › issues › 1491
Installed certifi, set REQUESTS_CA_BUNDLE env var, still ...
July 24, 2013 - jenkinsapi doesn't provide a hook to set verify=False. I tried saving the certificate from the jenkins server and setting the REQUESTS_CA_BUNDLE environment variable to point to it, and still got the same error.
Author   hugh-dunne
🌐
Quilt
docs.quilt.bio › quilt-python-sdk › api-reference › custom-ssl-certificates
Custom SSL Certificates | Quilt
May 25, 2023 - SSL certificate verification with Python Requests library · PreviousAuthentication GuideNextAdvanced · Last updated 2 years ago · Was this helpful? Mac OS X · Linux · Windows · Verification · References · Was this helpful? Copy · openssl x509 -inform der -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt · Copy · openssl x509 -in \Path\To\mycert.cer -out \Path\To\Converted\mycert.crt · Copy · set REQUESTS_CA_BUNDLE=Path\To\Converted\mycert.crt
Find elsewhere
🌐
Python.org
discuss.python.org › python help
Can connect to URL with curl but not with requests (i.e. requests ignoring my CA bundle?) - Python Help - Discussions on Python.org
March 30, 2022 - (Cross-posting from python - can connect to URL with curl but not with requests (i.e. requests ignoring my CA bundle?) - Stack Overflow) I am able to connect to a certain URL with cURL, after I installed the corresponding SSL certificates: $ curl -vvvv $MY_URL # Fails $ sudo openssl x509 -inform pem -outform pem -in /tmp/custom-cert.pem -out /usr/local/share/ca-certificates/custom-cert.crt $ sudo update-ca-certificates $ curl -vvvv $MY_URL # OK However, requests (or httpx, or any other libr...
🌐
Medium
devblabs.medium.com › python-requests-default-ca-certs-36896807a76b
Python Requests Default CA Certs. Back in 2015 I switched jobs and joined… | by Brian Olson | Medium
November 9, 2022 - Before version 2.16, Requests bundled a set of root CAs that it trusted, sourced from the Mozilla trust store.
🌐
Quantlane
quantlane.com › blog › ssl-lessons-learned-part-2
Quantlane - SSL Lessons learned: Part 2
August 9, 2020 - We found out that requests using its own pre-packaged SSL certificates can be disabled by using the environment variable REQUESTS_CA_BUNDLE. Although I would not recommend blindly disabling it everywhere.
🌐
pip
pip.pypa.io › en › stable › topics › https-certificates
HTTPS Certificates - pip documentation v26.1
The --cert option (and the corresponding PIP_CERT environment variable) allow users to specify a different certificate store/bundle for pip to use. It is also possible to use REQUESTS_CA_BUNDLE or CURL_CA_BUNDLE environment variables.
🌐
IncognitJoe
incognitjoe.github.io › adding-certs-to-requests.html
Adding custom CA certs to Requests with Certifi | IncognitJoe
December 24, 2016 - The Python Requests library uses its own CA file by default, or will use the certifi package's certificate bundle if installed.
🌐
Stack Overflow
stackoverflow.com › questions › 42982143 › how-can-i-use-system-ca-certificates-debian-ubuntu-with-pythons-requests
ssl - How can I use system CA certificates (Debian/Ubuntu) with Python's Requests? - Stack Overflow
Top answer
1 of 8
269

From an answer to Python Requests throwing SSLError:

To make Python's Requests use the system ca-certificates bundle, it needs to be told to use it over its own embedded bundle

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Requests embeds its bundles here, for reference:

/usr/local/lib/python2.7/site-packages/requests/cacert.pem
/usr/lib/python3/dist-packages/requests/cacert.pem

Or in newer versions, use an additional package to obtain certificates from: Certifi

To verify from which file certificates are loaded, you can try:

Python 3.8.5 (default, Jul 28 2020, 12:59:40)
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'
2 of 8
42

I struggled with this for a week or so recently. I finally found that the way to verify a self-signed, or privately signed, certificate in Python. You need to create your own certificate bundle file. No need to update obscure certificate bundles every time you update a library, or add anything to the system certificate store.

Start by running the openssl command that you ran before, but add -showcerts. openssl s_client -connect mysite.local:443 -showcerts This will give you a long output, and at the top you'll see the entire certificate chain. Usually, this means three certs, the website's certificate, the intermediate certificate, and the root certificate in that order. We need to put just the root and intermediate certificates into a next file in the opposite order.

Copy the last cert, the root certificate, to a new text file. Grab just the stuff between, and including:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Copy the middle cert (aka the intermediate certificate) to the new text file under the root cert. Again, grab the Begin and End Certificate lines and everything in between.

Save this text file to the directory where your Python script resides. My recommendation is to call it CertBundle.pem. (If you give it a different name, or put it somewhere else in your folder structure, make sure that the verify line reflects that.) Update your script to reference the new certificate bundle:

response = requests.post("https://www.example.com/", headers=headerContents, json=bodyContents, verify="CertBundle.pem")

And that's it. If you have only the root or only the intermediate certificate, then Python can't validate the entire certificate chain. But, if you include both of the certificates in the certificate bundle that you created, then Python can validate that the intermediate was signed by the root, and then when it accesses the website it can validate that the website's certificate was signed by the intermediate certificate.

edit: Fixed the file extension for the cert bundle. Also, fixed a couple of grammatical mistakes.

🌐
GitConnected
levelup.gitconnected.com › solve-the-dreadful-certificate-issues-in-python-requests-module-2020d922c72f
Solve the dreadful certificate issues in Python requests module | by Supratim Samanta | Level Up Coding
April 14, 2022 - Real world issues and solving them Solve the dreadful certificate issues in Python requests module Recently I have been working with the Python requests module to secure an API call using the …
🌐
GitHub
github.com › psf › requests › issues › 6565
CA-certs bundles and requests.certs.where - Improved documentation · Issue #6565 · psf/requests
November 1, 2023 - returns the path of the CA-certs bundle that is included with the requests package, ie not necessarily the bundle actually being used.
Author   velle
🌐
Python.org
discuss.python.org › python help
Python 3.13.x SSL security changes - Python Help - Discussions on Python.org
May 8, 2025 - My organization currently uses Zscaler for security and VPN. On top of that I have no admin rights to my Windows machine. I have tried a whole host of solutions which led me to pip-system-certs is this StackOverflow question that is quite similar to my situation here https://stackoverflow.com/questions/61635505/installing-zscaler-certificate-to-anaconda3 For Python 3.12, I was able to patch the cert by using autowrapt which was kindly provided by pip-system-certs.
🌐
Reddit
reddit.com › r/learnpython › python requests equivalent of curl command with cacert, cert and key
r/learnpython on Reddit: Python requests equivalent of curl command with cacert, cert and key
April 4, 2021 -

I have a curl command that looks like the following: 

curl --cacert ca.crt --key client.key --cert client.crt https://localhost:35877/v2/network/information

In the cmd it works but I can't seem to find the equivalent for python requests. Can anyone tell me the proper syntax for passing cacert key and cert to a request using the requests module?

Thank you.

Top answer
1 of 1
1
Hope this helps. https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu
🌐
GitConnected
levelup.gitconnected.com › using-custom-ca-in-python-here-is-the-how-to-for-k8s-implementations-c450451b6019
Using custom CA in Python? Here is the ‘how to’ for k8s implementations | by Dmitry Kirilovskiy | Level Up Coding
February 24, 2023 - As mentioned above, for isolated PODs with limited HTTP destinations using the environment variable perfectly makes sense. So I’ll assign REQUESTS_CA_BUNDLE environment variable the path to the file which is mounted from secret.
🌐
Python
bugs.python.org › issue28547
Issue 28547: Python to use Windows Certificate Store - Python tracker
This issue tracker has been migrated to GitHub, and is currently read-only. For more information, see the GitHub FAQs in the Python's Developer Guide · This issue has been migrated to GitHub: https://github.com/python/cpython/issues/72733
🌐
Snowflake Community
community.snowflake.com › s › article › HowtouseanalternativecacertpemfilewhileconnectingtoSnowflakewithSnowsql
Snowflake Community
Join our community of data professionals to learn, connect, share and innovate together
🌐
Zscaler
help.zscaler.com › zia › adding-custom-certificate-application-specific-trust-store
Adding Custom Certificate to an Application-Specific Trust Store
If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make this app work
Related queries
python requests_ca_bundle not working
python requests_ca_bundle json
python requests session
python requests_ca_bundle windows
requests_ca_bundle multiple certs
python requests_ca_bundle ubuntu
python requests_ca_bundle example
python requests_ca_bundle github