SSL error when trying to push Json files to our private group APHA-H5Nx-Avian-Influenza using conda

When trying to push Auspice json files to out private Nextstrain group: APHA-H5Nx-Avian-Influenza but run into this error:

‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)’)))

I followed the recommendation in this trouble shooting process (Issue #774 · nextstrain/ncov) and it still won’t work. I have pasted my commands and relevant outputs below. Any help would be appreciated:

(Nextstrain) benclifton@ranch-890:\~$ export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

(Nextstrain) benclifton@ranch-890:\~$ nextstrain remote upload Signin ‘/home/benclifton/mnt/VI6Storage/Nextstrain/2026-01-12/HA/Auspice/HA.json’

Uploading /home/benclifton/mnt/VI6Storage/Nextstrain/2026-01-12/HA/Auspice/HA.json as Signin
Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connectionpool.py”, line 464, in \_make_request
self.\_validate_conn(conn)
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connectionpool.py”, line 1093, in \_validate_conn
conn.connect()
\~\~\~\~\~\~\~\~\~\~\~\~^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connection.py”, line 741, in connect
sock_and_verified = \_ssl_wrap_socket_and_match_hostname(
sock=sock,
…<14 lines>…
assert_fingerprint=self.assert_fingerprint,
)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connection.py”, line 920, in *ssl_wrap_socket_and_match_hostname
ssl_sock = ssl_wrap_socket(
sock=sock,
…<8 lines>…
tls_in_tls=tls_in_tls,
)
File "/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/util/ssl*.py", line 480, in ssl_wrap_socket
ssl_sock = *ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
File "/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/util/ssl*.py", line 524, in \_ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/ssl.py”, line 455, in wrap_socket
return self.sslsocket_class.\_create(
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^
sock=sock,
^^^^^^^^^^
…<5 lines>…
session=session
^^^^^^^^^^^^^^^
)
^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/ssl.py”, line 1076, in \_create
self.do_handshake()
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/ssl.py”, line 1372, in do_handshake
self.\_sslobj.do_handshake()
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^^
ssl.SSLCertVerificationError: \[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: Missing Authority Key Identifier (\_ssl.c:1032)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connectionpool.py”, line 787, in urlopen
response = self.\_make_request(
conn,
…<10 lines>…
\*\*response_kw,
)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connectionpool.py”, line 488, in \_make_request
raise new_e
urllib3.exceptions.SSLError: \[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: Missing Authority Key Identifier (\_ssl.c:1032)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/requests/adapters.py”, line 667, in send
resp = conn.urlopen(
method=request.method,
…<9 lines>…
chunked=chunked,
)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/connectionpool.py”, line 841, in urlopen
retries = retries.increment(
method, url, error=new_e, \_pool=self, \_stacktrace=sys.exc_info()\[2\]
)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/urllib3/util/retry.py”, line 519, in increment
raise MaxRetryError(\_pool, url, reason) from reason  # type: ignore\[arg-type\]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=nextstrain.org, port=443): Max retries exceeded with url: /groups/APHA-H5Nx-Avian-Influenza/HA (Caused by SSLError(SSLCertVerificationError(1, ‘\[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: Missing Authority Key Identifier (\_ssl.c:1032)’)))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/Nextstrain/bin/nextstrain”, line 10, in
sys.exit(main())
\~\~\~\~^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/**main**.py”, line 19, in main
return cli.run( argv\[1:\] )
\~\~\~\~\~\~\~^^^^^^^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/**init**.py”, line 37, in run
return opts.**command**.run(opts)
\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/console.py”, line 36, in decorated
return f(\*args, \*\*kwargs)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/command/remote/upload.py”, line 71, in run
for local_file, remote_file in uploads:
^^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/remote/nextstrain_dot_org.py”, line 283, in upload
put(endpoint, file, media_type)
\~\~\~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/nextstrain/cli/remote/nextstrain_dot_org.py”, line 241, in put
response = http.put(
endpoint,
…<2 lines>…
“Content-Type”: media_type,
“Content-Encoding”: “gzip” })
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/requests/sessions.py”, line 649, in put
return self.request(“PUT”, url, data=data, \*\*kwargs)
\~\~\~\~\~\~\~\~\~\~\~\~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/requests/sessions.py”, line 589, in request
resp = self.send(prep, \*\*send_kwargs)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/requests/sessions.py”, line 703, in send
r = adapter.send(request, \*\*kwargs)
File “/home/benclifton/miniforge3/envs/Nextstrain/lib/python3.13/site-packages/requests/adapters.py”, line 698, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host=nextstrain.org, port=443): Max retries exceeded with url: /groups/APHA-H5Nx-Avian-Influenza/HA (Caused by SSLError(SSLCertVerificationError(1, ‘\[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: Missing Authority Key Identifier (\_ssl.c:1032)’)))

(Nextstrain) benclifton@ranch-890:\~$ conda list -n Nextstrain | grep certif
ca-certificates           2026.1.4             hbd8a1cb_0    conda-forge
certifi                   2026.1.4           pyhd8ed1ab_0    conda-forge

Hi @BenAPHA,

This error seems to be quite different from the linked ncov issue.

What sticks out here is “Missing Authority Key Identifier”. My guess is that your institutional CA certificate lacks an Authority Key Identifier (AKI) and thus violates stricter checks introduced in Python 3.13.

Since the stricter check doesn’t apply to older Python versions, could you try using an environment with Python ≤3.12?

Lots of further discussion in these 2 issues (warning: deep rabbit hole).

• Python 3.13: `[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1032)` · Issue #138193 · python/cpython · GitHub
• https://github.com/openssl/openssl/issues/28391

– Victor

Hi Victor, I can’t seem to get this working at all. I still run into an authentication error and am in danger of going further down the rabbit hole!

This is what I get now in my new environment. It asks me to login on the browser which I can then fail to upload:

nextstrain-upload) benclifton@ranch-890:\~$ nextstrain remote upload ‘/home/benclifton/mnt/VI6Storage/Nextstrain/2026-01-12/HA/Auspice/HA.json’


Uploading /home/benclifton/mnt/VI6Storage/Nextstrain/2026-01-12/HA/Auspice/HA.json
Error: Permission denied.

Logging in with

    nextstrain login https://nextstrain.org

might help?
(nextstrain-upload) benclifton@ranch-890:\~$ nextstrain login https://nextstrain.org

URL: (nevermind!)

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 1285, in request
self.\_send_request(method, url, body, headers, encode_chunked)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 1331, in \_send_request
self.endheaders(body, encode_chunked=encode_chunked)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 1280, in endheaders
self.\_send_output(message_body, encode_chunked=encode_chunked)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 1040, in \_send_output
self.send(msg)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 980, in send
self.connect()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/http/client.py”, line 1454, in connect
self.sock = self.\_context.wrap_socket(self.sock,
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/ssl.py”, line 501, in wrap_socket
return self.sslsocket_class.\_create(
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/ssl.py”, line 1041, in \_create
self.do_handshake()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/ssl.py”, line 1332, in do_handshake
self.\_sslobj.do_handshake()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/\_cffi_ssl/\_stdssl/**init**.py”, line 523, in do_handshake
raise pyssl_error(self, ret)
\_cffi_ssl.\_stdssl.error.SSLCertVerificationError: \[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: self signed certificate in certificate chain

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 56, in fetch_data
with urllib.request.urlopen(
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 214, in urlopen
return opener.open(url, data, timeout)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 517, in open
response = self.\_open(req, data)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 534, in \_open
result = self.\_call_chain(self.handle_open, protocol, protocol +
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 494, in \_call_chain
result = func(\*args)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 1389, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/urllib/request.py”, line 1349, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error \[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: self signed certificate in certificate chain>

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File “/home/benclifton/miniforge3/envs/nextstrain-upload/bin/nextstrain”, line 10, in
sys.exit(main())
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/**main**.py”, line 19, in main
return cli.run( argv\[1:\] )
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/**init**.py”, line 37, in run
return opts.**command**.run(opts)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/command/login.py”, line 122, in run
user = remote.login(url.origin, credentials)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/authn/**init**.py”, line 87, in login
session.authenticate_with_browser()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/authn/session.py”, line 550, in authenticate_with_browser
self.verify_tokens(
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/authn/session.py”, line 634, in verify_tokens
self.\_verify_id_token(id_token)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/nextstrain/cli/authn/session.py”, line 651, in \_verify_id_token
jwk = self.jwks.get_signing_key_from_jwt(token)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 115, in get_signing_key_from_jwt
return self.get_signing_key(header.get(“kid”))
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 97, in get_signing_key
signing_keys = self.get_signing_keys()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 84, in get_signing_keys
jwk_set = self.get_jwk_set(refresh)
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 76, in get_jwk_set
data = self.fetch_data()
File “/home/benclifton/miniforge3/envs/nextstrain-upload/lib/pypy3.9/site-packages/jwt/jwks_client.py”, line 61, in fetch_data
raise PyJWKClientConnectionError(
jwt.exceptions.PyJWKClientConnectionError: Fail to fetch data from the url, err: “<urlopen error \[SSL: CERTIFICATE_VERIFY_FAILED\] certificate verify failed: self signed certificate in certificate chain>”

Thanks for reporting back. The new output looks more similar to the linked ncov issue from your original post.

However, comparing to your first output, it now happens at a different part of Nextstrain CLI code (login instead of upload), and the error comes from urllib instead of requests. REQUESTS_CA_BUNDLE only applies to the latter. Can you try this in your Python 3.9 environment?

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
nextstrain login …
nextstrain remote upload …

I’m hoping this works for

• login: SSL_CERT_FILE should apply to urllib
• upload: Python 3.9 should not have the strict check that resulted in the first error