Python script worked perfectly locally but failed inside a Kubernetes pod:
requests.exceptions.SSLError: HTTPSConnectionPool(host='internal-api.company.com', port=443):
Max retries exceeded with url: /health
Caused by: SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)
Why it worked locally but not in the pod:
My Mac has the company's internal CA certificate installed in the system keychain. The Docker container (Debian-slim base) doesn't.
The internal API uses a TLS certificate signed by the company's private CA, not a public CA like Let's Encrypt.
The right fix (add CA cert to container):
# In Dockerfile
COPY internal-ca.crt /usr/local/share/ca-certificates/internal-ca.crt
RUN update-ca-certificatesOr mount it as a Kubernetes ConfigMap:
# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: ca-bundle
data:
internal-ca.crt: |
-----BEGIN CERTIFICATE-----
MIIBxxx...
-----END CERTIFICATE-----# In Deployment
volumes:
- name: ca-bundle
configMap:
name: ca-bundle
containers:
- volumeMounts:
- name: ca-bundle
mountPath: /usr/local/share/ca-certificates/internal-ca.crt
subPath: internal-ca.crt
env:
- name: REQUESTS_CA_BUNDLE
value: /usr/local/share/ca-certificates/internal-ca.crtThe lazy fix (don't do in production):
# DO NOT USE IN PRODUCTION
requests.get(url, verify=False)This disables SSL verification entirely. It works but defeats the purpose of TLS — a MITM attacker could intercept your traffic. Only use this if you understand exactly why and accept the risk.
Lesson: When Python's requests works locally but fails in containers, almost always it's a CA certificate issue. The proper fix is adding your CA cert to the container image.