Facing SSL Error with Huggingface pretrained models

Question

I am facing below issue while loading the pretrained model from HuggingFace.

HTTPSConnectionPool(host='huggingface.co', port=443): Max retries exceeded with url: /roberta-base/resolve/main/config.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)')))

The line that is causing the issue is

tokenizer = AutoTokenizer.from_pretrained('roberta-base')

I never faced this issue before and it was working absolutely fine earlier. I am clueless.

Answer 1

You can import a self-signed certificate on Windows machine.

To add a certificate to the Trusted Root Certification Authorities store on Windows, you can follow these steps:

1. Download the root certificate from the website, procedure to download the certificates using chrome browser are as follows:

   • Open the website (https://huggingface.co/)

   • In the URL tab you can see small lock icon, click on it

   • Click on "Connection is secure"

   • Click on "Certificate is valid"

   • CLick on "Details" tab

   • From certificate hierarchy select root certificate in our case it is "caadmin.netskope.com"

   • Click on "Export..." and save it in your system

     

2. Add downloaded certificate to "Trusted Root Certification Authorities" using following steps:

   • Open the Command Prompt as an administrator.

   • Type the following command to add the certificate to the Trusted Root Certification Authorities store

     certutil -addstore "Root" <path/to/certificate>
     

     You will receive a message indicating that the certificate was added to the store.

To verify if certificate is added to root or not, follow these steps :

1. Press the windows button and type "mmc" and press enter, this will open the Microsoft management console.
2. On the File menu, click Add/Remove Snap-in.
3. In the Available snap-ins box, click Certificates, and then click Add.
4. Click Computer account, and then click next.
5. Click Local computer, and then click Finish.
6. Click OK to close the Add or Remove Snap-ins dialog box.
7. In the console tree, click Certificates (Local Computer), and then click the Trusted Root Certification Authorities folder.
8. Verify that the certificate is in the Trusted Root Certification Authorities folder.

NOTE : It's recommended to consult with your IT administrator or security team to ensure that your system is configured correctly.

Please let me know if there's anything else I could help you with.

Answer 2

Downgrading requests to 2.27.1 and adding the following code snippet to the beginning of your program file should fix the problem.

'''This following code will set the CURL_CA_BUNDLE environment variable to an empty string in the Python os module'''

import os
os.environ['CURL_CA_BUNDLE'] = ''

Answer 3

The CURL_CA_BUNDLE fix did not work for me. Instead, I was able to add the following lines to the start of my script;

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

And the error does not occur now.

This answer was from https://github.com/pytorch/pytorch/issues/33288#issuecomment-954160699.

Answer 4

For Enterprise users, if your Enterprise has enterprise root certs, you may need to set this environment variable to know where your ca-certificates.crt bundle is. Testing via the requests module was not able to reproduce the error as those requests went out properly, but for the pull to work via Huggingface we had to set this variable first.

Hope this saves someone a few hours :)

export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt