We all love HTTPS because it gives us privacy. All HTTPS communications are private between the user and the remote server. Mostly.

On a corporate network, connections usually go through a proxy. The proxy likely man-in-the-middles all the corporate HTTPS connections: it pretends to be the remote site to me, and it pretends to be me to the remote site. Corporate man-in-the-middle (MITM) lets the organization audit & block traffic that would otherwise be opaque and potentially dangerous, which is great – I’m security-minded and all, but when someone who knows a job does it, you get better outcomes. But even though it’s good, corporate proxying still causes trouble for me whenever my whole system doesn’t know to trust the proxy. And that happens more than I’d like.

I find that Python semi-regularly fails requests that succeed in the browser, responding to me with CERTIFICATE_VERIFY_FAILED. When that happens, I let Python know that I trust the corporate certificate by adding it to Python’s parallel trust store, wherever that might be, by doing the following:

  1. Get the PEM for the certificate. On a Mac, go to Keychain Access and “export as pem”.

  2. Run the following:

    import certifi
    import shutil
    
    path_to_mitm_pem = "/path/to/the_exported_corporate_certificate.pem"
    
    # Python certificate store location may vary based on dependency management approach
    cert_store = certifi.where()
    print(f"Python is using the cert store at: {cert_store}")
    with open(path_to_mitm_pem, "rt") as f:
    	assert f.readline() == "-----BEGIN CERTIFICATE-----\n"
    with open(path_to_mitm_pem, 'rb') as new_pem_f, open(cert_store, 'ab') as cert_store_f:
    	shutil.copyfileobj(new_pem_f, cert_store_f)
    

After configuring the cert store, HTTPS requests should start succeeding.

I swear I have to do this at least once a month for some new environment or another.