Error message:
openai.error.APIConnectionError: Error communicating with OpenAI: HTTPSConnectionPool(host=‘api.openai.com’, port=443): Max retries exceeded with url: /v1/completions (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:992)’)))
Looks like OpenAI thought about a way to solve this, so added the property “verify_ssl_certs”, which is True buy default. In theory that could be disabled with the following line:
openai.verify_ssl_certs = False
However, as per the observation by lpels at (link removed), this property has no effect - you can even read that comment in the module code on GitHub (see line 42):
verify_ssl_certs = True # No effect. Certificates are always verified.
For organisations that perform SSL terminations on the network boundary, then create a response to the internal client request with a MITM SSL cert, the workaround is to download your organisations ROOT certificate (top of the chain when you view certs in your browser when on the api.openai.com page), and add it to the end of the “cacerts.pem” file in site-packes/certifi/ (might be buried beneath some virtual environment folder if you are using one of those)
(Note: Had to remove one link else this web app would not let me submit my response due to “new user” restrictions. See below comment for “other link”)
This does not work. It should, but it does not. I have done this before for other service and libraries, but for some reason with api.openai.com, it just does not work.
We use a VPN client for work computer when connecting remote to company network and this seems to be a common factor for others reporting this issue. Still doesn’t make sense though because other online service with Python libraries that present this same issue can be fixed by adding cert to cacerts.pem. Seems to be something different about OpenAI’s cert where it still fails.
I have done this before for other service and libraries, but for some reason with LINK, it just does not work.
Strange. If you had to do this for other Internet-based services being accessed by clients within your organisation’s network (connecting into the network by VPN) and it worked, I’m surprised it doesn’t work here.
Seems to be something different about OpenAI’s cert where it still fails.
That’s not what I expect. Using Global Protect / Palo Alto firewalls, with MITM SSL enabled, I expect that the certificate your browser sees for LINK is not the certificate that OpenAI have being served by their website but rather a temporary cert generated on-the-fly by your organisation’s firewall. Therefore the root cert I mentioned that you need would not be anything related to the OpenAI website, but rather the root cert used by your organisation to sign every certificate that it creates on its firewalls for MITM SSL request fulfilment. You can easily verify this by looking in your browser at the certificate chain when you visit LINK.
Another thing you should be able to do is use the “openssl s_client” command to inspect / obtain the cert chain (if you are using linux / MacOS) - at least in theory. However I am seeing some an unexpected response there when I do that: I see a completely different chain to what I see in my browser. Perhaps with Palo Alto firewalls being layer 7 devices, they can distinguish between genuine http / browser requests and the lower level ssl connections that openssl works with, and are choosing to deliver different certs in that case. All that to say, take my advice on openssl with a “pinch of salt” since I got nothing conclusive that way. Nevertheless the command should be something like:
Yep, I’ve tried that with openssl to get the certificate chain. I took the first block and added to cacerts.pem with no success. It really makes no sense because other problematic data sources like reddit threw ssl verify errors until I added their cert to cacerts.pem. I know it “should” work, but it absolutely does not work in the case with api.openai.com. That’s why I question if there’s something different about their cert.
