Share via

Update to Python 3.11 got SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

Xiuyang Bobby Sun 65 Reputation points
2024-09-24T17:10:13.2266667+00:00

Hi,

After we updated our Sentinel data connector(implemented in Azure Function) to use python3.11 from 3.10, we got SSL Error from urllib3 when making API calls: SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

This happens when local testing is performed and deployed to Azure Functions.

It was working fine when using Python 3.10, anyone seeing the same issue? Please help.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,154 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,172 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 560 Reputation points Microsoft Employee
    2024-11-14T10:00:01.8433333+00:00

    Hello Xiuyang Bobby Sun,

    It seems like your Python installation is not configured to trust any Certificate Authorities (CAs). This can happen when Python can't find the system's set of trusted CAs.

    In Python 3.11, there might be a change in how SSL certificates are handled or how they interact with the system's trusted CAs.

    Here are some recommendations that I found that may be useful:

    1. Install the certifi module, which provides Mozilla's set of trusted CAs. You can install it using pip:
    pip install certifi

    Afterward, you should tell Python to use certifi's set of CAs. Here's a code example:

    import certifi
import ssl
import urllib3

http = urllib3.PoolManager(
    cert_reqs='CERT_REQUIRED',
    ca_certs=certifi.where()
)
    1. If you're using a self-signed certificate, you can specify your certificate using the ca_certs parameter:
    http = urllib3.PoolManager(
    cert_reqs='CERT_REQUIRED',
    ca_certs='/path/to/your/certificate.pem'
)
    1. You can also try to reinstall Python 3.11 and make sure that during the installation, you check the box that says "Install launcher for all users" and "Add Python to PATH".
    2. If the error is coming from Azure Functions, it might be that the Azure Function App is not correctly configured to trust the SSL certificate. In this case, you might need to upload the certificate to your Azure Function App. Please refer to this documentation: Import App Service Certificate
    3. Since you are using Docker, make sure the base image includes the latest CA certificates. You can update your Dockerfile to ensure it uses the latest certificates.

    Remember to replace '/path/to/your/certificate.pem' with the path to the actual certificate file in your system.

    In any case, please remember that handling SSL certificates can have security implications. Be careful not to disable certificate verification in your production code, as it can expose you to security risks. If any of these steps works, please do let me know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.