TroubleshootingIntermediate

How to Fix SSL Certificate Errors When Calling AI APIs

Resolve SSL certificate verify failed errors the safe way instead of disabling verification.

8 minIntermediate

A 'certificate verify failed' error blocks your request before it even reaches the AI provider. It usually means your machine cannot validate the provider's HTTPS certificate, often due to missing root certificates, a corporate proxy, or an outdated system. The wrong fix is disabling verification, which exposes your key to interception. Here is the safe path.

  • Python or Node with an HTTP client
  • Admin access to install certificates if needed
  • Knowledge of whether you are behind a corporate proxy

Step 1: Read the full error

The error names the underlying cause. CERTIFICATE_VERIFY_FAILED with 'unable to get local issuer certificate' points at missing root certs. A 'self signed certificate in certificate chain' usually points at a proxy injecting its own certificate.

zsh - error
$python app.py
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate
$

Step 2: Install or update root certificates

On macOS, the Python installer ships a script that installs the certifi root bundle. On Linux, update the system ca-certificates package. This is the fix for the missing local issuer case.

fix-certs.sh
# macOS, adjust the version to your Python
/Applications/Python\ 3.12/Install\ Certificates.command

# Debian or Ubuntu
sudo apt-get update && sudo apt-get install --reinstall ca-certificates

# upgrade the Python bundle
pip install --upgrade certifi

Step 3: Point your client at a trusted bundle

If you are behind a corporate proxy that injects its own root certificate, get that root cert from your IT team and tell your client to trust it. Set the bundle path with an environment variable rather than turning verification off.

.env
# point requests and many clients at a combined trust bundle
REQUESTS_CA_BUNDLE=/etc/ssl/certs/company-bundle.pem
SSL_CERT_FILE=/etc/ssl/certs/company-bundle.pem
NODE_EXTRA_CA_CERTS=/etc/ssl/certs/company-bundle.pem
Trust chain
api.openai.com
-> issued by: corporate proxy CA
-> trusted? NO (not in your bundle)
Fix: add corporate proxy CA to the bundle
-> trusted? YES
A proxy replaces the real certificate with its own, which you must explicitly trust.
Never set verify to false in production
Disabling certificate verification lets anyone on the network read or alter your traffic, including your API key. Always fix the trust chain instead.

Step 4: Confirm the fix

Run a small request again. A clean 200 means the trust chain is now complete and your key travels over a verified connection.

zsh - verify
$python app.py
200 OK
response received over verified TLS
$

Result

After running the certificate installer and adding the corporate proxy CA to a trust bundle, the SSL error cleared and requests succeeded with verification fully on. The key stayed protected the whole time, which would not have been true if verification had simply been disabled.

Watch related tutorials

Claude Code - Full Tutorial for Beginners1:42:18
Claude Code - Full Tutorial for Beginners
freeCodeCamp.org
Full Claude Code Tutorial for Non-Technical Beginners in 2026 (step-by-step)28:14
Full Claude Code Tutorial for Non-Technical Beginners in 2026 (step-by-step)
AI LABS
FULL Claude Code Tutorial for Beginners in 2026! (Step-By-Step)41:09
FULL Claude Code Tutorial for Beginners in 2026! (Step-By-Step)
Tech With Tim
Claude Code Tutorial #1 - Introduction & Setup9:47
Claude Code Tutorial #1 - Introduction & Setup
Net Ninja
800+ hours of Learning Claude Code in 8 minutes (2026 tutorial / unknown tricks)8:23
800+ hours of Learning Claude Code in 8 minutes (2026 tutorial / unknown tricks)
AI Jason
FULL Claude Tutorial For Beginners in 2026! (FULL COURSE)52:31
FULL Claude Tutorial For Beginners in 2026! (FULL COURSE)
Skill Leap AI
Tags
#ssl#certificates#python#networking
All how-to guides