certificate verify failed unable to get local issuer certificate
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
certificate verify failed: unable to get local issuer certificate means the client could not build a trusted certificate chain from the server certificate up to a CA in the local trust store. In plain terms, the TLS connection reached a certificate, but the client could not verify who signed it with a chain it trusts.
What the Error Usually Means
During a TLS handshake, the server sends its certificate and usually one or more intermediate certificates. The client then tries to connect that chain to a trusted root CA installed locally.
If any part of that chain is missing or untrusted, verification fails.
Typical causes include:
- The server is not sending required intermediate certificates
- The client trust store is outdated
- A corporate proxy is replacing certificates
- The server uses a self-signed certificate
- The application points at the wrong CA bundle
This Python example shows the kind of request that often triggers the error:
If certificate verification fails, the exception is telling you the trust chain could not be completed correctly.
Fix the Trust Store Before Disabling Verification
The safest fix is almost always to correct the CA chain rather than turning verification off.
If you are using Python, certifi is a common CA bundle source:
That can help when the runtime's certificate bundle is stale or misconfigured.
On Linux systems, updating the OS CA store is also common. The exact command depends on the distribution, but the principle is the same: refresh the trusted certificate bundle so the client recognizes modern issuers.
Check the Server Certificate Chain
Sometimes the client is fine and the server is the real problem. A misconfigured web server may present only the leaf certificate without the required intermediates.
You can inspect the chain with OpenSSL:
If the intermediate certificates are missing, many clients will report the local issuer error even though the root CA is widely trusted. The fix then belongs on the server: install the full certificate chain properly.
Self-Signed and Internal Certificates
In development or internal environments, the server may use a self-signed certificate or a private CA. In that case, the client must explicitly trust that CA.
For example, if you have an internal CA certificate file:
This is very different from verify=False. You are still verifying the certificate, just against your internal CA rather than the public internet CA bundle.
What Not to Do
This is tempting:
It may make the error disappear, but it also disables certificate verification and opens the door to man-in-the-middle attacks. That is acceptable only for narrow debugging scenarios, not as a real fix.
Common Pitfalls
The biggest mistake is treating the error as a purely client-side bug. Many times the real issue is a server that is not presenting the full chain.
Another problem is copying verify=False from a forum answer and leaving it in production code. That solves the symptom while removing one of the core protections TLS is supposed to provide.
Developers also sometimes update one CA store and forget that the actual runtime uses a different one. A system Python, virtual environment, container image, Java runtime, and operating system can all rely on different certificate stores.
Finally, remember that internal proxies and SSL inspection tools can replace certificates on the fly. If the network path inserts its own CA, the client must trust that CA explicitly or the handshake will fail.
Summary
- The error means the client could not build a trusted certificate chain to a local root CA.
- Common causes are missing intermediates, stale trust stores, self-signed certificates, or network interception.
- Fix the CA bundle or the server chain instead of disabling verification.
- Use tools such as
openssl s_clientto inspect what the server actually sends. - '
verify=Falseis a debugging shortcut, not a secure production solution.'

