🎉 DevOps Interview Prep Bundle is live — 1000+ Q&A across 20 topicsGet it →
All Fixes
Today I Fixed

Python requests: SSL certificate verify failed in Kubernetes pod

pythonJun 23, 202620 minutes to fixkubernetessecuritytroubleshooting

Python script worked perfectly locally but failed inside a Kubernetes pod:

requests.exceptions.SSLError: HTTPSConnectionPool(host='internal-api.company.com', port=443):
Max retries exceeded with url: /health
Caused by: SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)

Why it worked locally but not in the pod:

My Mac has the company's internal CA certificate installed in the system keychain. The Docker container (Debian-slim base) doesn't.

The internal API uses a TLS certificate signed by the company's private CA, not a public CA like Let's Encrypt.

The right fix (add CA cert to container):

dockerfile
# In Dockerfile
COPY internal-ca.crt /usr/local/share/ca-certificates/internal-ca.crt
RUN update-ca-certificates

Or mount it as a Kubernetes ConfigMap:

yaml
# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: ca-bundle
data:
  internal-ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIBxxx...
    -----END CERTIFICATE-----
yaml
# In Deployment
volumes:
  - name: ca-bundle
    configMap:
      name: ca-bundle
containers:
  - volumeMounts:
    - name: ca-bundle
      mountPath: /usr/local/share/ca-certificates/internal-ca.crt
      subPath: internal-ca.crt
    env:
      - name: REQUESTS_CA_BUNDLE
        value: /usr/local/share/ca-certificates/internal-ca.crt

The lazy fix (don't do in production):

python
# DO NOT USE IN PRODUCTION
requests.get(url, verify=False)

This disables SSL verification entirely. It works but defeats the purpose of TLS — a MITM attacker could intercept your traffic. Only use this if you understand exactly why and accept the risk.

Lesson: When Python's requests works locally but fails in containers, almost always it's a CA certificate issue. The proper fix is adding your CA cert to the container image.