Skip to the navigation links
Last modified: 4 November 2020


Bugs: python


Unable to locate SSL certificates

CIAO ships with a copy of the openSSL library. This is required to provide access to any encrypted website, ie https://. The library makes use of signed certificates on the users machine; however, the location of that certificate file is OS dependent -- different Linux distributions install the file in different locations.

Some users trying to access an encrypted URL may see an error message like

% python -c 'from urllib import request; request.urlopen("");'
Traceback (most recent call last):
File "/home/user/ciao-4.13/ots/lib/python3.7/urllib/", line 1254, in do_open
h.request(req.get_method(), req.selector,, headers)
File "/home/user/ciao-4.13/ots/lib/python3.7/http/", line 1107, in request
self._send_request(method, url, body, headers)
File "/home/user/ciao-4.13/ots/lib/python3.7/http/", line 1152, in _send_request
File "/home/user/ciao-4.13/ots/lib/python3.7/", line 641, in do_handshake
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed


Users can try setting the environment variables: SSL_CERT_FILE and|or SSL_CERT_DIR. These should point to the location of the file on the system

bash$ export SSL_CERT_FILE=/etc/ssl/cert.pem 
bash$ export SSL_CERT_DIR=/etc/ssl/certs
tcsh% setenv SSL_CERT_FILE /etc/ssl/cert.pem
tcsh% setenv SSL_CERT_DIR /etc/ssl/certs

If you are unsure where the certificate file is located then open a new terminal and try the following command.

$ python -c "import ssl; print(ssl.get_default_verify_paths())" 
DefaultVerifyPaths(cafile=None, capath=None,
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/etc/pki/tls/cert.pem',
openssl_capath_env='SSL_CERT_DIR', openssl_capath='/etc/pki/tls/certs')

The SSL_CERT_FILE is the openssl_cafile_env and SSL_CERT_DIR is the openssl_capath_env.