PythonCall.jl icon indicating copy to clipboard operation
PythonCall.jl copied to clipboard
verified publisher icon JuliaPy

SSL CERTIFICATE_VERIFY_FAILED

Open Beforerr opened this issue 4 months ago • 5 comments

Affects: PythonCall

Describe the bug

After upgrading Julia to 1.12-rc, it seems I could not connect to the remote server because of SSL fail (for package https://github.com/SciQLop/Speasy.jl). However, this bug only appears locally, not in CI, which is very weird. I checked the cert paths from Python, and the result is different from the previous discussion #493 , so maybe they are related.

julia> using PythonCall

julia> @py import ssl

julia> ssl.get_default_verify_paths()
Python: DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/workspace/destdir/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/workspace/destdir/ssl/certs')

Your system

julia> versioninfo()
Julia Version 1.12.0-rc1
Commit 228edd6610b (2025-07-12 20:11 UTC)
Platform Info:
  OS: macOS (arm64-apple-darwin24.0.0)
  CPU: 8 × Apple M1 Pro
  LLVM: libLLVM-18.1.7 (ORCJIT, apple-m1)
  GC: Built with stock GC
Threads: 1 default, 1 interactive, 1 GC (on 6 virtual cores)

julia> Pkg.status()
Project Speasy v0.4.2
Status `~/src/Speasy.jl/Project.toml`
  [2569d6c7] ConcreteStructs v0.2.3
  [992eb4ea] CondaPkg v0.2.29
  [46f1a544] NanoDates v1.0.3
  [6099a3de] PythonCall v0.9.26
  [0b37b92c] SpaceDataModel v0.1.12
  [10745b16] Statistics v1.11.1
  [1986cc42] Unitful v1.24.0
  [ade2ca70] Dates v1.11.0

Beforerr avatar Aug 12 '25 18:08 Beforerr

Solved. It turned out to be macOS setting problem. (https://support.apple.com/en-in/guide/keychain-access/kyca11871/mac

Beforerr avatar Aug 12 '25 21:08 Beforerr

Sorry to reopen. But I think the issue is not solved for Julia 1.12. It fails on Ubuntu CI https://github.com/SciQLop/Speasy.jl/actions/runs/17310489122/job/49143456845

Beforerr avatar Aug 30 '25 18:08 Beforerr

What's the bug? You haven't shown any errors.

cjdoris avatar Aug 30 '25 19:08 cjdoris

I think the bug is the Python ssl library fail to load from Python openssl_cafile, instead it points to /workspace/.... And when using ssl from Python, it just could not verify the certificate

julia> ssl.get_default_verify_paths()
Python: DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/workspace/destdir/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/workspace/destdir/ssl/certs')

Beforerr avatar Aug 30 '25 19:08 Beforerr

I encountered a similar issue, example code:

@py import urllib
api_url = "https://services.ga.gov.au/gis/rest/services/National_Electricity_Infrastructure/MapServer/2/query?where=state%20%3D%20'Victoria'&outFields=class,name,operationalstatus,state,spatialconfidence,revised,st_length(shape),capacitykv,ga_guid,length_m&outSR=4326&f=geojson"
urllib.request.urlopen(api_url)

> ERROR: Python: URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1010)>

julia> versioninfo()
Julia Version 1.11.6
Commit 9615af0f269 (2025-07-09 12:58 UTC)
Build Info:
  Official https://julialang.org/ release
Platform Info:
  OS: Linux (x86_64-linux-gnu)
  CPU: 16 × AMD Ryzen 9 5900HS with Radeon Graphics
  WORD_SIZE: 64
  LLVM: libLLVM-16.0.6 (ORCJIT, znver3)
Threads: 8 default, 0 interactive, 4 GC (on 16 virtual cores)
Environment:
  JULIA_EDITOR = code
  JULIA_VSCODE_REPL = 1
  JULIA_NUM_THREADS = 8

Worth noting, no error thrown with requests

@py import requests
r = requests.get(api_url)

> Python: <Response [200]>

ymiftah avatar Sep 04 '25 11:09 ymiftah