Skip to content

Python 3.13: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032) #138193

Closed as not planned
Closed as not planned
Python 3.13: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)#138193
Labels
3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error
@benz0li

Description

@benz0li
benz0li
opened on Aug 27, 2025

Bug report

Bug description:

import requests
requests.get('https://www.google.com')
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
 File "/usr/local/lib/python3.13/site-packages/requests/adapters.py", line 644, in send
 resp = conn.urlopen(
 method=request.method,
 ...<9 lines>...
 chunked=chunked,
 )
 File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 841, in urlopen
 retries = retries.increment(
 method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
 )
 File "/usr/local/lib/python3.13/site-packages/urllib3/util/retry.py", line 519, in increment
 raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type]
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
 File "<python-input-1>", line 1, in <module>
 requests.get('https://www.google.com')
 ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/usr/local/lib/python3.13/site-packages/requests/api.py", line 73, in get
 return request("get", url, params=params, **kwargs)
 File "/usr/local/lib/python3.13/site-packages/requests/api.py", line 59, in request
 return session.request(method=method, url=url, **kwargs)
 ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/usr/local/lib/python3.13/site-packages/requests/sessions.py", line 589, in request
 resp = self.send(prep, **send_kwargs)
 File "/usr/local/lib/python3.13/site-packages/requests/sessions.py", line 703, in send
 r = adapter.send(request, **kwargs)
 File "/usr/local/lib/python3.13/site-packages/requests/adapters.py", line 675, in send
 raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)')))

The Linux machine is behind a corporate HTTP proxy with self-signed certificates.

The required Root CA Certificate has been added to the trust store, e.g. uploaded to /usr/local/share/ca-certificates followed by executing update-ca-certificates.

Furthermore the following environment variables are set:

ftp_proxy="ftp://<ftp-proxy-adress>:<ftp-proxy-port>/"
FTP_PROXY="ftp://<ftp-proxy-adress>:<ftp-proxy-port>/"
http_proxy="http://<http-proxy-adress>:<http-proxy-port>/"
HTTP_PROXY="http://<http-proxy-adress>:<http-proxy-port>/"
https_proxy="http://<http-proxy-adress>:<http-proxy-port>/"
HTTPS_PROXY="http://<http-proxy-adress>:<http-proxy-port>/"
no_proxy="127.0.0.1,localhost[,REDACTED]"
NO_PROXY="127.0.0.1,localhost[,REDACTED]"
CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
REQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
SSL_CERT_FILE="/etc/ssl/certs/ca-certificates.crt"

ℹ️ This setup works fine for Python 3.12 (using pip, urllib3, requests, etc.) but not for Python 3.13 (using pip it works, though).

The Root CA Certificate contains the following lines:

Certificate:
    Data:
        ....
        X509v3 extensions:
            ...
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier:
                4E:32:71:1C:07:BB:1D:A8:A4:8A:F8:17:4B:B6:15:47:65:54:24:7E
            X509v3 Authority Key Identifier:
                4E:32:71:1C:07:BB:1D:A8:A4:8A:F8:17:4B:B6:15:47:65:54:24:7E
    ...

Is this, i.e. an AKI that matches the SKI, leading to the error?

  • If yes: Is this considered a malformation?
    • If yes: By CPython only or in general?

CPython versions tested on:

3.13

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesextension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions