ClientConnectorCertificateError / SSLCertVerificationError after update (regression)

[Julian-J-S]

Describe the bug

Great library which gave me nice performence improvements 😎
BUT unfortunately updating aiohttp dependency recently of a project causes ClientConnectorCertificateError / SSLCertVerificationError.

Using "requests" everything works as expected ✔️

requests.post(
    url=URL,
    headers=HEADERS,
    json=JSON,
    },
).json()

Using "aiohttp" worked in the past (!) but raises now ❌

async with aiohttp.ClientSession() as session:
    async with session.post(
        url=URL,
        headers=HEADERS,
        json=JSON,
        # ssl=False,  # <<< only works with ssl=False...
    ) as response:
        response_json = await response.json()

The only solution I found is ssl=False which is no option.
Also "requests" uses ssl by default and there is no problem.

To Reproduce

see description.

Expected behavior

I expect this to work like it did before.
This is a breaking change (at least for me) so this was very unexpected and problematic.

Logs/tracebacks

ClientConnectorCertificateError: Cannot connect to host <XXX>:443 ssl:True [SSLCertVerificationError: (5, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1020)')]

Python Version

$ python --version
3.13

aiohttp Version

$ python -m pip show aiohttp
3.11.0

multidict Version

$ python -m pip show multidict
I dont use "pip" but "uv"

propcache Version

$ python -m pip show propcache
I dont use "pip" but "uv"

yarl Version

$ python -m pip show yarl
I dont use "pip" but "uv"

OS

Windows

Related component

Client

Additional context

No response

Code of Conduct

• I agree to follow the aio-libs Code of Conduct

[Dreamsorcerer]

unfortunately updating aiohttp dependency

Please provide version numbers.

Could maybe be related to the change to aiohappyeyeballs, but not too sure how. Otherwise, this typically indicates your certificates are not installed/accessible/up-to-date. You can use certifi (which requests uses by default) by following the docs: https://docs.aiohttp.org/en/stable/client_advanced.html#example-use-certifi

[Julian-J-S]

unfortunately updating aiohttp dependency

Please provide version numbers.

Could maybe be related to the change to aiohappyeyeballs, but not too sure how. Otherwise, this typically indicates your certificates are not installed/accessible/up-to-date. You can use certifi (which requests uses by default) by following the docs: https://docs.aiohttp.org/en/stable/client_advanced.html#example-use-certifi

Thanks a lot for your help! 😄

I got it working like this:

async with aiohttp.ClientSession(
    connector=aiohttp.TCPConnector(ssl=ssl.create_default_context(cafile=certifi.where())),
) as session:
    ...

I am right now on aiohttp=3.11.0 but cannot tell you the previous version.
However, I am 100% sure that the original code worked without additional ssl magic!

Would love to see it working again by default without this additional "overhead".

[Dreamsorcerer]

Without knowing the version, it's difficult to tell what might have changed. It could also be something else changed on your system that caused the system certificates to not be found. Or, maybe the site your connecting to has deployed a new certificate, with a CA that is not present in your system certificates. The aiohttp upgrade could just be a coincidence, so it'd need more testing to rule it out.

[bdraco]

I looked at the changes between 3.10 and 3.11 and didn't find anything related to SSL that would cause this. If I had to guess, I'd expect its due to a dependency change unless aiohttp was being upgraded from a very old version.