httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

[ubaldot]

Describe the bug

I run pdm build resulting in:

[ConnectError]: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
(_ssl.c:1000)

Then, I tried:

pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem" -v

resulting in:

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)

I also have REQUESTS_CA_BUNDLE = "C:\Users\yt75534\my_company_ca.pem.

To reproduce

I am on my company laptop, so it is a bit difficult to reproduce.

Expected Behavior

the sdist is built.

Environment Information

INFO: Inside an active virtualenv C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv, reusing it. Set env var PDM_IGNORE_ACTIVE_VENV to ignore it. PDM version: 2.21.0 Python Interpreter: C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv\python.exe (3.12) Project Root: C:/Users/yt75534/Documents/dymoval Local Packages:

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000) INFO: Inside an active virtualenv C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv, reusing it. Set env var PDM_IGNORE_ACTIVE_VENV to ignore it. { "implementation_name": "cpython", "implementation_version": "3.12.7", "os_name": "nt", "platform_machine": "AMD64", "platform_release": "10", "platform_system": "Windows", "platform_version": "10.0.19045", "python_full_version": "3.12.7", "platform_python_implementation": "CPython", "python_version": "3.12", "sys_platform": "win32" } WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

pdm -v output

> pdm -v
Usage: pdm [-h] [-V] [-c CONFIG] [-v | -q] [--no-cache] [-I] [--pep582 [SHELL]] [-n] ...

    ____  ____  __  ___
   / __ \/ __ \/  |/  /
  / /_/ / / / / /|_/ /
 / ____/ /_/ / /  / /
/_/   /_____/_/  /_/

Options:
  -h, --help            Show this help message and exit.
  -V, --version         Show the version and exit
  -c CONFIG, --config CONFIG
                        Specify another config file path [env var: PDM_CONFIG_FILE]
  -v, --verbose         Use `-v` for detailed output and `-vv` for more detailed
  -q, --quiet           Suppress output
  --no-cache            Disable the cache for the current command. [env var: PDM_NO_CACHE]
  -I, --ignore-python   Ignore the Python path saved in .pdm-python. [env var: PDM_IGNORE_SAVED_PYTHON]
  --pep582 [SHELL]      Print the command line to be eval'd by the shell for PEP 582
  -n, --non-interactive
                        Don't show interactive prompts but use defaults. [env var: PDM_NON_INTERACTIVE]

Commands:
  add                   Add package(s) to pyproject.toml and install them
  build                 Build artifacts for distribution
  cache                 Control the caches of PDM
  completion            Generate completion scripts for the given shell
  config                Display the current configuration
  export                Export the locked packages set to other formats
  fix                   Fix the project problems according to the latest version of PDM
  import                Import project metadata from other formats
  info                  Show the project information
  init                  Initialize a pyproject.toml for PDM. Built-in templates: - default: `pdm init`, A simple
                        template with a basic structure. - minimal: `pdm init minimal`, A minimal template with only
                        `pyproject.toml`.
  install               Install dependencies from lock file
  list                  List packages installed in the current working set
  lock                  Resolve and lock dependencies
  outdated              Check for outdated packages and list the latest versions on indexes.
  publish               Build and publish the project to PyPI
  python (py)           Manage installed Python interpreters
  remove                Remove packages from pyproject.toml
  run                   Run commands or scripts with local packages loaded
  search                Search for PyPI packages
  self (plugin)         Manage the PDM program itself (previously known as plugin)
  show                  Show the package information
  sync                  Synchronize the current working set with lock file
  update                Update package(s) in pyproject.toml
  use                   Use the given python version or path as base interpreter. If not found, PDM will try to
                        install one.
  venv                  Virtualenv management

Additional Context

I had the same problem with conda but it has been fixed when I set the REQUESTS_CA_BUNDLE environment variable, I am working on Windows 10 and I installed pdm through conda. The pdm --version is PDM, version 2.21.0.

Are you willing to submit a PR to fix this bug?

• [ ] Yes, I would like to submit a PR.

[frostming]

Can you run this successfully?

import httpx

resp = httpx.get(URL, verify=CA_CERTS_PATH)

[ubaldot]

I ran the following:

import httpx
from pathlib import Path

URL = "https://example.com"  # Replace with your actual URL
CA_CERTS_PATH = Path("C:/Users/yt75534/my_company_ca.pem")

print(f"File exists: {CA_CERTS_PATH.exists()}")

resp = httpx.get(URL, verify=str(CA_CERTS_PATH))
print(resp.text)

obtaining:

File exists: True
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

[frostming]

Did you have custom source config and did you set the ca_certs field?

[ubaldot]

Not sure if I understand but pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem"

return

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)`

[frostming]

Not sure if I understand but pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem"

It's unclear what is the context of the warning message, but you can try disabling check_update by pdm config check_update false

Oh, you should also verify the config is set correctly:

pdm config pypi.ca_certs

[ochrafal]

Based on httpx release history https://pypi.org/project/httpx/#history it looks that on 28th of November version 0.28.0 was released and it seems that pdm is not fully compatible with it.

[frostming]

@ochrafal Thanks for the info. So does it work if downgrade to httpx<0.28? @ubaldot

[ubaldot]

Unfortunately, I won't be able to test it before Jan 9th. I am out of country.

[frostming]

Based on httpx release history https://pypi.org/project/httpx/#history it looks that on 28th of November version 0.28.0 was released and it seems that pdm is not fully compatible with it.

While it is deprecating verify=str and cert= parameters, the old usage should still work. It doesn't make sense either.

[sanmai-NL]

@ubaldot does it work after running this on the venv?

pip install pip-system-certs

[sigma67]

We just updated to Python 3.14 and getting a similar error during pdm install. We test for all versions 3.10 through 3.14 and this error only occurs with 3.14. We also have a custom certificate set via pdm config pypi.ca_certs.

pdm install --group :all --group test
STATUS: Resolving packages from lockfile...
Synchronizing working set with resolved packages: 49 to add, 0 to update, 0 to remove
  ✔ Install pip 25.1.1 successful
...snip more successful packages
  ✔ Install markupsafe 3.0.2 successful
  ✔ Install coverage 7.8.2 successful
  ✔ Install pyyaml 6.0.2 successful
  ✖ Install pydantic-core 2.33.2 failed
  ✖ Install pydantic-core 2.33.2 failed
ERRORS:
add pydantic-core failed:
Traceback (most recent call last):
  File "/usr/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/installers/synch
ronizers.py", line 29, in install_candidate
    self.manager.install(can)
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/installers/manag
er.py", line 33, in install
    prepared.build(),
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/models/candidate
s.py", line 417, in build
    self._cached = Path(builder.build(build_dir, 
metadata_directory=self._metadata_dir))
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/builders/base.py
", line 84, in wrapper
    return func(*args, **kwargs)
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/builders/wheel.p
y", line 26, in build
    filename = self._hook.build_wheel(out_dir, self.config_settings, 
metadata_directory)
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pyproject_hooks/_imp
l.py", line 256, in build_wheel
    return self._call_hook(
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pyproject_hooks/_imp
l.py", line 392, in _call_hook
    self._subprocess_runner(
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/builders/base.py
", line 281, in subprocess_runner
    return log_subprocessor(cmd, cwd, extra_environ=env)
  File 
"/usr/local/lib/pipx/venvs/pdm/lib/python3.10/site-packages/pdm/builders/base.py
", line 128, in log_subprocessor
    raise build_error(e) from None
pdm.exceptions.BuildError: Build backend raised error: Showing the last 10 lines
of the build output:
    response = transport.handle_request(request)
  File 
"/tmp/pdm-build-env-ievbdtiu-overlay/lib/python3.14/site-packages/httpx/_transpo
rts/default.py", line 249, in handle_request
    with map_httpcore_exceptions():
         ~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.14/contextlib.py", line 162, in __exit__
    self.gen.throw(value)
    ~~~~~~~~~~~~~~^^^^^^^
  File 
"/tmp/pdm-build-env-ievbdtiu-overlay/lib/python3.14/site-packages/httpx/_transpo
rts/default.py", line 118, in map_httpcore_exceptions
    raise mapped_exc(message) from exc
httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: 
self-signed certificate in certificate chain (_ssl.c:1077)

debug log:

pdm_debug_log.txt

basically it tries to build the package with rust, tries to download rust, then fails because it can't access the server due to the certificate issue. interestingly I can install the same package just fine using pip under 3.14

I can reproduce this with other packages that use the maturin build-system, for example rdps-py, watchfiles.

https://github.com/samuelcolvin/watchfiles/blob/main/pyproject.toml#L2

Workaround: seems fixable by setting SSL_CERT_FILE.