Skip to main content
Question

Max retries exceeded with URL and SSLError(SSLCertVerificationError

  • September 11, 2025
  • 4 replies
  • 329 views
M
Active
Forum|alt.badge.img+5

urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)

i have already tried following things

  1. pip install --upgrade certifi
  2. import ssl  print(ssl.get_default_verify_paths())

output :-
DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\\Program Files\\Common Files\\SSL/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\\Program Files\\Common Files\\SSL/certs')

  1. Unistall and installation of certifi also done.

Still same issue since two days. More details “

poetry run cdf deploy --dry-run
  
Traceback (most recent call last):
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connectionpool.py", line 464, in _make_request
    self._validate_conn(conn)
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connectionpool.py", line 1093, in _validate_conn
    conn.connect()
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connection.py", line 790, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connection.py", line 969, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
               ^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\util\ssl_.py", line 480, in ssl_wrap_socket 
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\util\ssl_.py", line 524, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 1075, in _create
    self.do_handshake()
  File "C:\Users\MNarayanan\AppData\Local\Programs\Python\Python311\Lib\ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connectionpool.py", line 787, in urlopen    
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connectionpool.py", line 488, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests\adapters.py", line 644, in send
    resp = conn.urlopen(
           ^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\connectionpool.py", line 841, in urlopen    
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\urllib3\util\retry.py", line 519, in increment      
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /16e3985b-ebe8-4e24-9da4-933e21a9fc81/oauth2/v2.0/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Scripts\cdf.exe\__main__.py", line 7, in <module>
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf.py", line 120, in app
    _app()
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\typer\main.py", line 330, in __call__
    raise e
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\typer\main.py", line 313, in __call__
    return get_command(self)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\click\core.py", line 1442, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\typer\core.py", line 765, in main
    return _main(
           ^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\typer\core.py", line 193, in _main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\click\core.py", line 1830, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\click\core.py", line 1226, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\click\core.py", line 794, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\typer\main.py", line 690, in wrapper
    return callback(**use_params)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\apps\_core_app.py", line 280, in deploy
    cmd.run(
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\commands\_base.py", line 55, in run
    raise e
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\commands\_base.py", line 52, in run
    result = execute(*args, **kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\apps\_core_app.py", line 281, in <lambda>
    lambda: cmd.execute(
            ^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\commands\deploy.py", line 165, in execute
    result = self.deploy_resources(
             ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\commands\deploy.py", line 197, in deploy_resources
    return self._deploy_resources(
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\commands\deploy.py", line 224, in _deploy_resources
    to_create, to_update, to_delete, unchanged, duplicated = worker.load_resources(
                                                             ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\loaders\_worker.py", line 141, in load_resources
    if capabilities and (missing := self.loader.client.verify.authorization(capabilities)):
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\client\api\verify.py", line 55, in authorization
    return self._toolkit_client.iam.compare_capabilities(self.token_inspect.capabilities, capabilities)
                                                         ^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite_toolkit\_cdf_tk\client\api\verify.py", line 31, in token_inspect
    self._token_inspect = self._toolkit_client.iam.token.inspect()
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\_api\iam.py", line 526, in inspect   
    return TokenInspection.load(self._get("/api/v1/token/inspect").json(), self._cognite_client, allow_unknown=True)
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\_api_client.py", line 167, in _get   
    return self._do_request("GET", url_path, params=params, headers=headers, timeout=self._config.timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\_api_client.py", line 202, in _do_request
    headers = self._configure_headers(
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\_api_client.py", line 256, in _configure_headers
    self._refresh_auth_header(headers)
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\_api_client.py", line 270, in _refresh_auth_header
    auth_header_name, auth_header_value = self._config.credentials.authorization_header()
                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\credentials.py", line 192, in authorization_header
    self.__access_token, self.__access_token_expires_at = self._refresh_access_token()
                                                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\cognite\client\credentials.py", line 792, in _refresh_access_token
    credentials = self.__oauth.fetch_token(
                  ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests_oauthlib\oauth2_session.py", line 341, in fetch_token
    r = self.request(
        ^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests_oauthlib\oauth2_session.py", line 521, in request
    return super(OAuth2Session, self).request(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests\sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests\sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\MNarayanan\AppData\Local\pypoetry\Cache\virtualenvs\ice-cream-dataops-73SKZWOv-py3.11\Lib\site-packages\requests\adapters.py", line 675, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /16e3985b-ebe8-4e24-9da4-933e21a9fc81/oauth2/v2.0/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)')))
PS C:\Mohan\GitHub\GitHub\CDF\workspace\ice-cream-dataops> 

    4 replies

    Sofie Haug
    Seasoned Practitioner
    Forum|alt.badge.img+13
    • Sofie Haug
    • Cognite Academy Instructor
    • September 11, 2025

    @Ben Petree  is this something you have seen before (for bootcamp)?

    Sofie | Cognite Academy
      J
      Seasoned
      Forum|alt.badge.img+3
      • Jesse Jenken
      • Seasoned
      • September 11, 2025

      The traceback is unambiguous:

      Your cdf deploy command fails because Python cannot validate the TLS certificate when connecting to login.microsoftonline.com. Specifically:

       

      ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
       

      That means your Python environment (the Poetry venv under ...ice-cream-dataops-73SKZWOv-py3.11) cannot find or use the CA certificates necessary to verify Microsoft’s certificate chain.

       

      • What’s happening?

        • The Cognite Toolkit (cdf deploy) tries to authenticate via Azure AD (login.microsoftonline.com).

        • The requests/urllib3 libraries do certificate validation.

        • They cannot find a trusted root for the issuer → verification fails.

      • Why does this happen?

        • On Windows, Python doesn’t use the system certificate store by default; it uses its own CA bundle (certifi).

        • If that bundle is missing, outdated, or your company uses a proxy with a custom CA (very common in enterprise setups), validation will fail.

      • Where the failure is:
        The failure happens at token acquisition:

       

      Poetry run pip install --upgrade certifi should have refreshed any custom CA Certs, but if your local issuer isn’t correctly configured for your environment, you may need to work with your IT Teams to obtain a bypass.

       

      If you’re outside your normal office and working remotely in a boot camp or a non-normal environment, it’s possible your laptop doesn’t have routes to your normally-accessible internal certificate issuer, resulting in no trust to the presented cert.

       

      This isn’t a Cognite issue as much as it’s a corporate laptop IT Policy issue.

        Ben Petree
        Seasoned Practitioner
        Forum|alt.badge.img+5
        • Ben Petree
        • Seasoned Practitioner
        • September 12, 2025

        Also, you could try turning off your zscaler or other networking security software. Or you could ask IT to whitelist virtual networks.

          A
          Active
          • amalgjose
          • Active
          • September 16, 2025

          This is not a Cognite issue. This is because of IT policy enforced by IT in your laptop. 

            Terms & ConditionsCookie SettingsAccessibility statement