On a system I’ve been working on I’ve been plagued by SSL errors whenever Python would try to download something from the internet. I know it’s possible to edit the requests to not verify SSL certs, but this is code in a third-party library (e.g. nltk.download) which I cannot edit easily. And even if I could, it’s unsettling to disable SSL verification since that opens you up to potentiall man-in-the-middle attacks. The errors would look something like below:

urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed:
unable to get local issuer certificate (_ssl.c:1002)

I didn’t have any luck following most of what I found on Stack Overflow to solve this issue, but eventually stumbled on a solution combining ideas from Redhat’s guide to Python cert errors, and a Stack Overlow answer. Specifically, I needed to install certifi certs via pip install certifi, but this was not enough. I then needed to set an ENV var called SSL_CERT_FILE to the location of the certs installed via certifi. I don’t know why Python wasn’t using these certs automatically as it should have been, but this solved the issue for me.

The full steps I took are as follows:

pip install certifi

Next, in Python, find the certifi install location by running

from requests.utils import DEFAULT_CA_BUNDLE_PATH
print(DEFAULT_CA_BUNDLE_PATH)
# /path/to/python/site-packages/certifi/cacert.pem

Note the output of the above cacert.pem file, and add the following to .bashrc (or .bash_profile or .zshrc, etc… depending on your system).

export SSL_CERT_FILE=/path/to/python/site-packages/certifi/cacert.pem

Of course, in the above make sure you use that actual path to cacert.pem on your system.

Next, restart the terminal and hopefully everything should work!