--- slug: "python3-13-ssl-basic-constraints-critical-alert-ignore" title: "Fix: Python 3.13 SSL error 'Basic Constraints of CA cert not marked critical' (VERIFY_X509_STRICT)" description: "Python 3.13 enabled VERIFY_X509_STRICT by default, triggering \"SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: Basic Constraints of CA cert not marked critical\" against self-signed CA certs. Workaround: disable VERIFY_X509_STRICT in SSLContext." url: "https://www.ytyng.com/en/blog/python3-13-ssl-basic-constraints-critical-alert-ignore" publish_date: "2025-05-21T02:50:31Z" created: "2025-05-21T02:50:31.267Z" updated: "2026-04-20T01:19:28.722Z" categories: ["Python"] keywords: "" featured_image_url: "https://media.ytyng.com/resize/20250521/62707007f0854076bd19dfa4ddb1ddac.png.webp?width=768" has_video: true has_music: true video_urls: ["https://media.ytyng.net/ytyng-blog/321/featured-video-1.mp4", "https://media.ytyng.net/ytyng-blog/321/featured-video-2.mp4", "https://media.ytyng.net/ytyng-blog/321/featured-video-3.mp4"] music_urls: ["https://media.ytyng.net/ytyng-blog/321/featured-music-321-3.mp3", "https://media.ytyng.net/ytyng-blog/321/featured-music-321-5.mp3"] lang: "en" --- # Fix: Python 3.13 SSL error 'Basic Constraints of CA cert not marked critical' (VERIFY_X509_STRICT) _Note: This article discusses intentionally lowering the default security level. Please only proceed if you understand the risks and can tolerate them in your environment._ When attempting to make a request to an HTTP server using a self-signed SSL certificate with Python's Requests or httpx, you would use code similar to the following: ```python import httpx ca_file_path = os.path.join(os.path.dirname(__file__), 'my-ca.crt') content = httpx.get('https://my-internal-server.example.com/', verify=ca_file_path) ``` ```python import requests ca_file_path = os.path.join(os.path.dirname(__file__), 'my-ca.crt') response = requests.get('https://my-internal-server.example.com/', verify=ca_file_path) ``` This works fine up through Python 3.12. However, with Python 3.13, if the `X509v3 Basic Constraints` of the CA certificate are not marked as Critical, you will encounter the following error: ``` httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020) ``` To bypass this error in Python 3.13 without modifying the CA certificate, you can use the following: ```python import httpx import ssl ca_file_path = os.path.join(os.path.dirname(__file__), 'my-ca.crt') context = ssl.create_default_context() context.verify_flags &= ~ssl.VERIFY_X509_STRICT context.load_verify_locations(ca_file_path) response = httpx.get('https://my-internal-server.example.com/', verify=context) ``` This will allow you to bypass the issue. _Note: This is insecure._