Cloudflare's Chain Root CA removed from today's `certifi` update

yotamkuchnir · April 26, 2025, 10:41pm

What is the name of the domain?

What is the error message?

CERTIFICATE_VERIFY_FAILED

What is the issue you’re encountering

Today’s (2025-04-26) certifi update has removed the “AAA Certificate Services” Root CA that the Cloudflare certificate chain uses from the trust store (read more in 1957685 - Turn off Websites Trust Bit from CAs). As a result, Cloudflare is currently serving certificate chains that are not trusted, causing verification failures for newer Python clients.

What is the current SSL/TLS setting?

Flexible

What are the steps to reproduce the issue?

Install Python’s certifi update of 2025.04.26
Make a request to the server ( requests.get('https://edalo.net') )
(The same exact command has worked for months until today, with the new certifi update)
Get requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED]

yotamkuchnir · April 27, 2025, 11:29am

This will become a much larger problem when the new version of Firefox Nightly releases soon, as it will use the new version of certifi.

yotamkuchnir · April 27, 2025, 12:34pm

Now on Firefox Nightly, too.

fritex · April 27, 2025, 1:07pm

AAA

Not before: 01 Jan 2004
Not after: 31 Dec 2028

SSL.com TLS ECC CA R2

Not before: 21 Jun 2004
Not after: 31 Dec 2028

Cloudflare ECC CA 1

Not before: 31 Oct 2023
Not after: 28 Oct 2033

edalo.net

Not before: 17 Mar 2025
Not after: 15 Jun 2025

Might be you’ve got the “old one” cached while the new SSL certificate wasn’t re-issued?

Are you running any Anti-virus/malware software which would scan the HTTP(S) requests as well?

yotamkuchnir · April 27, 2025, 1:32pm

Thank you for the response!

Might be - is there a way to manually clear the cache through the dashboard?
I do not

yotamkuchnir · April 27, 2025, 5:27pm

Seems to be the problem foreshadowed by @nick.gristle628

michael.laroche · May 5, 2025, 8:33am

Did you find any solution to this ? I have the same issue…

yotamkuchnir · May 5, 2025, 9:11am

No solution yet.

Currently the workaround is pinning certifi to version 2025.1.31.

According to this GitHub issue, the certifi developers are in talks with Cloudflare to resolve this.

michael.laroche · May 5, 2025, 10:14am

Thanks for your answer and the link to github issue.

system · May 20, 2025, 10:15am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare root certificate untrusted (again?) Security	6	2480	July 22, 2022
Invalid SSL certificate - chain breaks somewhere General	19	6205	March 29, 2021
I've got an error ssl: certificate_verify_failed certificate verify failed Security	5	562	April 1, 2024
Cloudflare TLS Certificate chain is invalid Security	1	894	September 20, 2023
Error 526 Invalid Certificate on a domain + server + valid cert Security	6	21	February 10, 2025