SSL: certificate_verify_failed

Are you going through a VPN? I am going through a corporate VPN (Global Protect) and it will not allow SSL verify to complete correctly no matter what is tried. All of these solutions here fail. None of them work through this particular VPN solution.

I guess it’s no surprise since it is from Palo Alto Networks. Their software is buggy. There was recently discovered a bug in Global Protect or Palo Alto Networks appliance that is causing connectivity issue where connections are just dropped.

If you are using a VPN, what happens if you disconnect the VPN? Does the request complete successfully?

This works if i disconnect the VPN… It looks like it never works with vpn connected…

Well, that’ the same here. I have sent info to my security folks here and they haven’t gotten back to say they found any issue associated with the VPN config.

It still could be something wrong with the VPN, but there are an awful lot of people experiencing this issue when using the OpenAI Python library. I don’t have this issue when using requests. When it has happened in the past, it was very simple resolution, just export the cert from the site and add to the cacerts.pem file for the Python virtual environment. I have tried that in this case by getting the cert from api.openai.com. The cert doesn’t look quite right so maybe there’s something wrong with OpenAI’s self-signed certificate which would be ironic because the OpenAI Python library keeps complaining about a self-signed certificate in the chain.

Seriously though, OpenAI, can’t you put some resources on this to fix it so people can use it. It’s almost like you want people to NOT use your products. Or, at the very least, provide some guidance for those customers using some of the more popular VPNs out there like GlobalProtect, Cisco, etc.

1 Like

This worked, thanks! Also, remember when clicking the lock icon on the left side of the URL, to select “Connection is Secure” to access the certificate. (In Google Chrome anyway)

This worked like a charm, thanks!! I pasted the certificate in my venv at [envname]/Lib/site-packages/certify

2 Likes

Hi Friends,
i’m facing the same issue, but with Azure OpenAI

here’s the error, pls suggest
APIConnectionError: Error communicating with OpenAI: HTTPSConnectionPool(host='azuresandbox1.openai.azure.com', port=443): Max retries exceeded with url: //openai/deployments/rak-gpt-35-turbo/completions?api-version=2022-12-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

#Note: The openai-python library support for Azure OpenAI is in preview.
import os
import openai
openai.api_type = "azure"
openai.api_base = "https://azuresandbox1.openai.azure.com/"
openai.api_version = "2022-12-01"
openai.api_key = os.getenv("OPENAI_API_KEY") 

response = openai.Completion.create(
  engine="raj-gpt-35-turbo",
  prompt="Generate a summary of the below conversation in the following format:\nCustomer problem:\nOutcome of the conversation:\nAction items for follow-up:\nCustomer budget:\nDeparture city:\nDestination city:\n\nConversation:\nUser: Hi there, I’m off between August 25 and September 11. I saved up 4000 for a nice trip. If I flew out from San Francisco, what are your suggestions for where I can go?\nAgent: For that budget you could travel to cities in the US, Mexico, Brazil, Italy or Japan. Any preferences?\nUser: Excellent, I’ve always wanted to see Japan. What kind of hotel can I expect?\nAgent: Great, let me check what I have. First, can I just confirm with you that this is a trip for one adult?\nUser: Yes it is\nAgent: Great, thank you, In that case I can offer you 15 days at HOTEL Sugoi, a 3 star hotel close to a Palace. You would be staying there between August 25th and September 7th. They offer free wifi and have an excellent guest rating of 8.49/10. The entire package costs 2024.25USD. Should I book this for you?\nUser: That sounds really good actually. Please book me at Sugoi.\nAgent: I can do that for you! Can I help you with anything else today?\nUser: No, thanks! Please just send me the itinerary to my email soon.\n\nSummary: \nCustomer problem: The customer wants to travel between August 25 and September 11 with a budget of 4000 USD from San Francisco to a destination suggested by the agent.\nOutcome of the conversation: The agent suggested Japan as a destination and offered a 15-day stay at a 3-star hotel called Sugoi. The customer agreed to the offer and the agent booked the hotel for the customer.\nAction items for follow-up: The agent needs to send the itinerary to the customer's email.\nCustomer budget: 4000 USD\nDeparture city: San Francisco\nDestination city: Japan (exact location not specified)<|im_end|>",
  temperature=0.3,
  max_tokens=350,
  top_p=1,
  frequency_penalty=0,
  presence_penalty=0,
  stop=None)

thank you for this solution!! I have been experiencing the same issue; I had to export every certificate in the chain - just having the zscaler root was not sufficient. in my case, i’m working in a python:3 docker container, so I brought the three exported Zscaler certs into my container like this:

[assuming that I mapped my local certs folder into ‘~/local’ within the container - but it doesn’t matter how you get them into the /usr/local/share/ca-certificates folder, as long as they’re in place when you run the update-ca-certificates command]

cp ~/local/*.crt  /usr/local/share/ca-certificates 
chmod 644 /usr/local/share/ca-certificates/*.crt
update-ca-certificates

, then you can set the REQUESTS_CA_BUNDLE in one of a variety of ways, e.g.:

os.environ['REQUESTS_CA_BUNDLE'] = '/etc/ssl/certs/ca-certificates.crt'

2 Likes

Thanks, that solution worked perfectly for me!

1 Like

For me, the issue was that my Python certificate was not installed. To fix:

Python → Install Certificates.command

If you don’t have permission to install the certificates (e.g. "Permission denied), open an admin session and run the command again.

2 Likes

A quick solution if other options doesn’t work would be to try the following in POC or local try only. Not meant for enterprise solutions.
Make sure you download the chain
CertDownload
Thanks to below stackoverflow it worked for me. Follow the instructions on the accepted reply in below post
Modify Local cacert.pem

Thank you very much for these details. It works for me. Much appreciated.

Solves the Zscaler issue:

This package patches pip and requests at runtime to use certificates from the default system store (rather than the bundled certs ca).

This will allow pip to verify tls/ssl connections to servers who’s cert is trusted by your system install.

Simply install with:

pip install pip_system_certs

1 Like

This worked for me on its own! Now I can simply set the api key as per the documentation and its working. Thank you.

For corporate VPN, after exporting the certificate file as mentioned by hardkothari1998, open it in notepad and then copy paste the whole content from begin certificate to end certificate to your cacert.pem file. To find your cacert.pem file,
import certifi
certifi.where()

1 Like

I’m running on CentOS7 and trying to ramp up a chat gpt linux terminal (according to the procedure as described on a post: in beebom dot com, named “how-use-chatgpt-linux-terminal” (I can’t add a link as I’m a new user).

but I’m having trouble with SSL certifications and I’m getting this error:

SSLError: HTTPSConnectionPool(host=‘api.openai dot com’, port=443): Max retries exceeded with url: /v1/chat/completions (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)’)))

  • I tried to use the certificates as @hardkothari1988 said and I’ve set an environment variable (with running:

export REQUESTS_CA_BUNDLE=/home/commandline-chatgpt/sni cloudflaressl dot com

) which didn’t worked.
I copied it to [envname]/lib/python3.9/site-packages/certifi (is that correct?).
This procedure uses a python package named shell-gpt, so I don’t have access to the actual python code in order to add an environment variable in it.

  • I also wanted to try @avocanite suggestion, but I don’t have a “/usr/local/share/ca-certificates” directory on my machine.
    I’ve tried to locate another place of the “ca-certificates” directory and couldn’t find it.
    Any case, I’ve changed the permissions of the license file to 644. which didn’t helped.

  • I also tried “fclaush” suggestion, and pip installed pip_system_certs.
    which didn’t work as well.

Does anyone has any suggestion and/or ideas and can rescue me? :slight_smile:
Feel free to contact me

if u have any protection service enabled in ur system then disable that

Hi @mail.guy.yaffe

What version of python and pip are you using?

Problem solved for me with following steps

  1. Open link https://api.openai.com/v1/engines in Firefox and click on cancel
  2. Download certificate for this in PEM (chain) and open in text editor
    Screenshot 2023-07-01 at 11.16.00 PM
  3. Check which ca file is used. example for python (import certifi print(certifi.where()))
  4. Copy the content of file in step2 to the file in step3 (at the bottom).

Run API code.

4 Likes

I’m working with a Windows laptop from my company, i.e. it has a firewall. The below solution worked for me with VPN OFF using the Jupyter Notebook.

  1. Follow @hardkothari1988 steps 1 to 4 only.
  2. Find your file “cacert.pem” and append the certificate content at the end of it. For me my file “cacert.pem” was located inside the certifi package as (C:\ProgramData\Anaconda3\pkgs\certifi-2021.10.8-py39haa95532_2\Lib\site-packages\certifi).
  3. Do not use: os.environ[‘REQUESTS_CA_BUNDLE’] = ‘/path/to/certificate.crt’. The above step is the default location for certs.

The big thing for me was the step 3 above. Even after appending the cert at the end of my cacert.pem, since I was still doing this → os.environ[‘REQUESTS_CA_BUNDLE’] = ‘/path/to/certificate.crt’…my code was still failing. Now it works fine.

None of the solutions seems to work for me. I tried adding the certificate and appended it to the end of the cert file. Any other pointers?