microsoft
SSL Certificate Verification Error with Azure AI Inference Endpoint on macOS
Environment
- OS: macOS Darwin 24.5.0
- Python: 3.13 (both system and venv)
- AutoGen Version: autogen-agentchat, autogen-ext[azure]
- Related Packages:
aiohttp==3.12.15azure-coreazure-ai-inference
Error Message
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1028)
azure.core.exceptions.ServiceRequestError: Cannot connect to host models.inference.ai.azure.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1028)')]
Code to Reproduce
from autogen_ext.models.azure import AzureAIChatCompletionClient
from azure.core.credentials import AzureKeyCredential
client = AzureAIChatCompletionClient(
model="gpt-4o-mini",
endpoint="https://models.inference.ai.azure.com",
credential=AzureKeyCredential(os.getenv("GITHUB_TOKEN")),
model_info={
"json_output": True,
"function_calling": True,
"vision": True,
"family": "unknown",
"structured_output": True,
},
)
What I've Tried
-
Installed and activated truststore:
pip install truststore import truststore truststore.inject_into_ssl() -
Set environment variables:
export PYTHONHTTPSVERIFY=0 export SSL_CERT_FILE="" export REQUESTS_CA_BUNDLE="" -
Updated certifi:
pip install --upgrade certifi -
Ran Python's Install Certificates.command for macOS
-
Used proxy (http://127.0.0.1:7890/) - proxy works but SSL error persists
-
Tried monkey patching ssl and aiohttp - no effect
Additional Information
-
The same URL (
https://models.inference.ai.azure.com) works fine in browsers -
curlwith-kflag works successfully -
The issue appears to be specific to the Azure SDK's internal HTTP client
-
When trying to patch aiohttp's SSL context, I get the following error:
verify_ssl, ssl_context, fingerprint, and ssl parameters are mutually exclusive
Expected Behavior
The AutoGen client should successfully connect to Azure AI Inference endpoint without SSL certificate errors.
Questions
- Is there a way to disable SSL verification in
AzureAIChatCompletionClient? - Are there any known issues with macOS + Python 3.13 + Azure SDK SSL handling?
- Is there a recommended workaround for development environments?
Any help would be greatly appreciated. This is blocking the use of AutoGen with GitHub Models on macOS.
👋 Thanks for contributing @ChimeraFlutter! We will review the issue and get back to you soon.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@ChimeraFlutter -I ran into the same TLS error on macOS today while using Semantic Kernel and found your thread while debugging. Your setup looks similar, so here’s what fixed it for me.
AutoGen’s AzureAIChatCompletionClient builds on the Azure AI Inference SDK which (for async) uses aiohttp/azure-core. On some macOS/Python installs, that stack doesn’t pick up a usable CA bundle by default, so TLS verification blows up. The simplest fix is to point the client at a known-good bundle (e.g., certifi). Azure’s clients support this via the connection_verify option, and AutoGen forwards that through to the underlying client.
Give this a try (note the connection_verify=certifi.where() line):
import os, certifi
from autogen_ext.models.azure import AzureAIChatCompletionClient
from azure.core.credentials import AzureKeyCredential
client = AzureAIChatCompletionClient(
model="gpt-4o-mini",
endpoint="https://models.inference.ai.azure.com",
credential=AzureKeyCredential(os.getenv("GITHUB_TOKEN")),
model_info={
"json_output": True,
"function_calling": True,
"vision": True,
"family": "unknown",
"structured_output": True,
},
# Key line: tell the client to use certifi's CA bundle
connection_verify=certifi.where(),
)
Let me know if this doesn't work, I'd be happy to help you find a solution.
