Introduction
When using Python scripts to access Code Insight (FNCI) APIs over HTTPS, you may encounter:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
This occurs because Python’s requests library verifies SSL certificates by default, and Code Insight often uses self-signed or internally signed certificates that are not trusted by Python (or other scripting languages).
You might also get the following error while registering/installing custom reports.
ERROR [get_reports.py:32] HTTPSConnectionPool(host='localhost', port=8888): Max retries exceeded with url: /codeinsight/api/reports/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1123)')))
2021-04-16:16:11:50,714 ERROR [registration.py:100] Unable to retrieve currently registered reports
Scope
Applies to all Code Insight environments:
- Standalone server (Core + Scan on same machine)
- Distributed setup (One Core + multiple Scan servers)
Other Scenarios Where This Can Happen
- Java-based integrations using
HttpClientor similar libraries. - Curl commands or shell scripts calling FNCI APIs.
- Automation tools (e.g., Jenkins, custom connectors) that use HTTPS.
- Any language or framework (Go, Node.js, .NET) that enforces SSL verification.
Root Cause
- Code Insight APIs are hosted on the core server.
- Scripting languages validate the SSL certificate presented by the endpoint.
- Internal PKI or self-signed certs are not by default in Python’s default trust store (or any other language's or system's trust store).
1. Identify the Endpoint
Determine if your script calls:
https://<core-server-host>/codeinsight/restApi/...
2. Export the SSL Certificate Chain
- Open the Code Insight URL in a browser (such as Chrome).
- Click the lock icon → Certificate → Details → Export.
- Export Base-64 encoded X.509 (.CER or .PEM) file.
NOTE: In the screenshots above, we only had the server certificate.
In case you have a chain of certificates, export all certificates, including any server, intermediate, and root certificates.
3. Create a PEM Bundle
- Combine all certificates into one file in this order:
-----BEGIN CERTIFICATE----- (Server/leaf cert) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate CA #1) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate CA #2) ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root CA) ... -----END CERTIFICATE----- - Save the file as
fnci_chain.pem.
4. Configure Scripting Language (Like Python) to Trust the Certificate
Choose one method:
Option A: Environment Variable (Recommended)
Set REQUESTS_CA_BUNDLE:
- Windows:
- Press
Win + R→ typesysdm.cpl→ Enter. - Advanced tab → Environment Variables → New.
- Name:
REQUESTS_CA_BUNDLE - Value:
C:\path\to\fnci_chain.pem
- Name:
- Restart terminal/IDE.
- Press
Option B: Per-Script
import requests
url = "https://<fnci-endpoint>/codeinsight/api/health"
r = requests.get(url, verify="C:/path/to/fnci_chain.pem")
print(r.status_code, r.text[:200])
Solution for Report Resgistration SSL Error
A. Install pip-system-certs
This package makes Python use the system certificate store automatically:
pip install pip-system-certs
B. Import Certificates into certifi
- Ensure certifi is installed
pip install certifi - Locate
cacert.pem:C:\Python38\Lib\site-packages\certifi\cacert.pem - Export Code Insight certificate chain from browser using steps listed above.
- Open
cacert.pemand append the certificate contents at the end. - Save and retry report registration.
Important Notes
- You can also use
verify=False(disables SSL verification, insecure). - If certificate changes (renewal/replacement), repeat steps.
FAQ
Q: Do I need scan server certificates?
A: No, unless your script connects to them directly.
Q: What if hostname mismatch occurs?
A: Use the URL matching the certificate SAN or reissue cert with correct SANs.
Q: What about corporate SSL inspection?
A: Trust the proxy’s root CA in Python.
Q: Does this work for mTLS?
A: Yes, but you must also provide client cert/key in requests.
Run:
import requests
r = requests.get("https://<fnci-endpoint>/codeinsight/api/health", timeout=10,
verify="C:/path/to/fnci_chain.pem")
print(r.status_code)
Expected: 200 OK
Sample Code Snippet
import requests
url = "https://<fnci-endpoint>/codeinsight/api/projects"
headers = {"Authorization": "Bearer <token>"}
response = requests.get(url, headers=headers, verify="C:/path/to/fnci_chain.pem")
print(response.status_code)
print(response.json())
Other languages may show different error messages like javax.net.ssl.SSLHandshakeException (Java) or certificate verify failed (curl).
Related Articles
FlexNet Code Insight API Examples 13Number of Views How do I enable SSL for FlexNet Code Insight? 30Number of Views Video: Update the SSL Certificate for Snow Inventory Server 306Number of Views FlexNet Code Insight Workspace Export Import Scripts - Add-On 3Number of Views Unable to Run Jenkins job using Plugin in FlexNet Code Insight 8Number of Views
Hi, I am Reva - Ask me anything.
No new updates
Thanks for the feedback!
Your feedback has been saved.Rate this response:
Add Additional feedback ( Optional )
Are you sure you want to cancel
the case creation?
Are you sure you want to cancel the case creation?
Are you sure you want to close this case
| Products | Region | Phone Numbers |
|---|---|---|
| FlexNet Operations FlexNet Embedded FlexNet Publisher FlexNet Connect FlexNet Code Insight InstallAnywhere InstallShield |
North America * |
+1 630-332-2513 (toll) +1 877-279-2853 (toll-free in North America) |
| Europe * |
+44 1925 944367 (toll) +44 800 047 8642 (toll-free in Europe) |
|
| Japan * | +81 3-4540-5335 (select option 2) | |
| Australia * |
+61 3 9895 2177 +61 1800 560 603 (toll-free in Australia) |
|
|
Usage Intelligence (formerly
Revulytics) Compliance Intelligence |
Please use the Case Portal to submit your support ticket or reach out to your Revenera contact. | |
Revenera Assistant
Case id: 00001065
Activity: Status change: 2 hours ago