The error
gurobipy._exception.GurobiError: SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)indicates that the client cannot verify the SSL certificate presented by the server it is connecting to.
This can happen when using a WLS license, or when connecting to your own Cluster Manager/Compute Server.
Using a WLS license
A WLS License requires a connection to https://token.gurobi.com
Our token server uses certificates from the certificate authority DigiCert. Machines will usually already have this by default.
If your connection goes through a proxy that performs SSL/TLS inspection, the proxy may present its own certificate instead of the server's certificate. If OpenSSL does not trust the proxy's certificate, this error is returned.
Possible fixes
- Add the proxy's certificate to your system's trusted certificate store. Alternatively, export the proxy's certificate and set the
GRB_CAFILEenvironment variable to point to it.
Using a Cluster Manager or Compute Server
When a machine hosting the Cluster Manager or Compute Server is using an internal certificate (e.g. self-signed) or when a machine is using a certificate signed by a CA that is not trusted by machines by default.
Possible fixes:
- Add the proxy's certificate to your system's trusted certificate store. Alternatively, export the proxy's certificate and set the
GRB_CAFILEenvironment variable to point to it.
The command below can be useful for retrieving the certificate presented by the server and writing it to your machine.
Replace your_cluster_manager_url:port with your server's hostname and port, and replace ~/your_custom_cert.pem with the path where you want to save the certificate.
openssl s_client -connect your_cluster_manager_url:port -servername your_cluster_manager_url:port -showcerts </dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > ~/your_custom_cert.pem