httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

[ubaldot]

Describe the bug

I run pdm build resulting in:

[ConnectError]: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
(_ssl.c:1000)

Then, I tried:

pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem" -v

resulting in:

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)

I also have REQUESTS_CA_BUNDLE = "C:\Users\yt75534\my_company_ca.pem.

To reproduce

I am on my company laptop, so it is a bit difficult to reproduce.

Expected Behavior

the sdist is built.

Environment Information

INFO: Inside an active virtualenv C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv, reusing it.
Set env var PDM_IGNORE_ACTIVE_VENV to ignore it.
PDM version:
2.21.0
Python Interpreter:
C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv\python.exe (3.12)
Project Root:
C:/Users/yt75534/Documents/dymoval
Local Packages:

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)
INFO: Inside an active virtualenv C:\Users\yt75534\AppData\Local\miniforge3\envs\myenv, reusing it.
Set env var PDM_IGNORE_ACTIVE_VENV to ignore it.
{
"implementation_name": "cpython",
"implementation_version": "3.12.7",
"os_name": "nt",
"platform_machine": "AMD64",
"platform_release": "10",
"platform_system": "Windows",
"platform_version": "10.0.19045",
"python_full_version": "3.12.7",
"platform_python_implementation": "CPython",
"python_version": "3.12",
"sys_platform": "win32"
}
WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)

pdm -v output

> pdm -v
Usage: pdm [-h] [-V] [-c CONFIG] [-v | -q] [--no-cache] [-I] [--pep582 [SHELL]] [-n] ...

    ____  ____  __  ___
   / __ \/ __ \/  |/  /
  / /_/ / / / / /|_/ /
 / ____/ /_/ / /  / /
/_/   /_____/_/  /_/

Options:
  -h, --help            Show this help message and exit.
  -V, --version         Show the version and exit
  -c CONFIG, --config CONFIG
                        Specify another config file path [env var: PDM_CONFIG_FILE]
  -v, --verbose         Use `-v` for detailed output and `-vv` for more detailed
  -q, --quiet           Suppress output
  --no-cache            Disable the cache for the current command. [env var: PDM_NO_CACHE]
  -I, --ignore-python   Ignore the Python path saved in .pdm-python. [env var: PDM_IGNORE_SAVED_PYTHON]
  --pep582 [SHELL]      Print the command line to be eval'd by the shell for PEP 582
  -n, --non-interactive
                        Don't show interactive prompts but use defaults. [env var: PDM_NON_INTERACTIVE]

Commands:
  add                   Add package(s) to pyproject.toml and install them
  build                 Build artifacts for distribution
  cache                 Control the caches of PDM
  completion            Generate completion scripts for the given shell
  config                Display the current configuration
  export                Export the locked packages set to other formats
  fix                   Fix the project problems according to the latest version of PDM
  import                Import project metadata from other formats
  info                  Show the project information
  init                  Initialize a pyproject.toml for PDM. Built-in templates: - default: `pdm init`, A simple
                        template with a basic structure. - minimal: `pdm init minimal`, A minimal template with only
                        `pyproject.toml`.
  install               Install dependencies from lock file
  list                  List packages installed in the current working set
  lock                  Resolve and lock dependencies
  outdated              Check for outdated packages and list the latest versions on indexes.
  publish               Build and publish the project to PyPI
  python (py)           Manage installed Python interpreters
  remove                Remove packages from pyproject.toml
  run                   Run commands or scripts with local packages loaded
  search                Search for PyPI packages
  self (plugin)         Manage the PDM program itself (previously known as plugin)
  show                  Show the package information
  sync                  Synchronize the current working set with lock file
  update                Update package(s) in pyproject.toml
  use                   Use the given python version or path as base interpreter. If not found, PDM will try to
                        install one.
  venv                  Virtualenv management

Additional Context

I had the same problem with conda but it has been fixed when I set the REQUESTS_CA_BUNDLE environment variable, I am working on Windows 10 and I installed pdm through conda. The pdm --version is PDM, version 2.21.0.

Are you willing to submit a PR to fix this bug?

• Yes, I would like to submit a PR.

[frostming]

Can you run this successfully?

import httpx

resp = httpx.get(URL, verify=CA_CERTS_PATH)

[ubaldot]

I ran the following:

import httpx
from pathlib import Path

URL = "https://example.com"  # Replace with your actual URL
CA_CERTS_PATH = Path("C:/Users/yt75534/my_company_ca.pem")

print(f"File exists: {CA_CERTS_PATH.exists()}")

resp = httpx.get(URL, verify=str(CA_CERTS_PATH))
print(resp.text)

obtaining:

File exists: True
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

[frostming]

Did you have custom source config and did you set the ca_certs field?

[ubaldot]

Not sure if I understand but pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem"

return

WARNING: Failed to get latest version: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local
issuer certificate (_ssl.c:1000)`

[frostming]

Not sure if I understand but pdm config pypi.ca_certs "C:\Users\yt75534\my_company_ca.pem"

It's unclear what is the context of the warning message, but you can try disabling check_update by pdm config check_update false

Oh, you should also verify the config is set correctly:

pdm config pypi.ca_certs

[ochrafal]

Based on httpx release history https://pypi.org/project/httpx/#history it looks that on 28th of November version 0.28.0 was released and it seems that pdm is not fully compatible with it.

[frostming]

@ochrafal Thanks for the info. So does it work if downgrade to httpx<0.28? @ubaldot

[ubaldot]

Unfortunately, I won't be able to test it before Jan 9th. I am out of country.

[frostming]

Based on httpx release history https://pypi.org/project/httpx/#history it looks that on 28th of November version 0.28.0 was released and it seems that pdm is not fully compatible with it.

While it is deprecating verify=str and cert= parameters, the old usage should still work. It doesn't make sense either.

[sanmai-NL]

@ubaldot does it work after running this on the venv?

pip install pip-system-certs