Python Error SSL: CERTIFICATE_VERIFY_FAILED] with SSL requests


I am trying to get the Specify All in One Docker configuration running through Podman on one of my server through HTTPS and am running into errors. When I try to visit the Specify 7 URL i have set up, I get a Python CERTIFICATE_VERIFY_FAILED when the application tries to connect to the web asset server.

A basic overview of what I’m trying to do is as follows. I have the “All in one” Podman configuration running on the webserver with the nginx proxy running on port 8888 on the server. I also have the Specify Web Portal running on port 8889 on the same server. On the server its self I have an Apache Vhost proxying requests to the relevant Podman pods.

It seems like Python root certificates may not be installed in one of the base images but am not sure. The same Apache proxy → Nginx proxy → Web Portal configuration works over both HTTP and HTTPS.

I have my configurations and error log listed out below. Any help or insights you all have would be greatly appreciated. If you have any questions or need more information please let me know.

docker-compose.yml (3.1 KB)
docker.log (23.4 KB)
nginx.conf (1.1 KB)

Thank you,

Hi there @perzanowski.4,

Looking at the files you provided, if you want to use HTTPS the following will work

  1. Update your docker-compose.yml file as follows
    restart: unless-stopped
    image: specifyconsortium/specify-asset-service
    container_name: asset-server
    init: true
      - "attachments:/home/specify/attachments"
      - "./web_asset_store.xml:/home/specify/web_asset_store.xml"
      - SERVER_PORT=443
      - DEBUG_MODE=false
  1. You will need to ammend the default web_asset_store.xml from http to https. You can simply copy and paste the snippet below:
<?xml version="1.0" encoding="UTF-8"?>
    <url type="read"><![CDATA[https://{{host}}/fileget]]></url>
    <url type="write"><![CDATA[https://{{host}}/fileupload]]></url>
    <url type="delete"><![CDATA[https://{{host}}/filedelete]]></url>
    <url type="getmetadata"><![CDATA[https://{{host}}/getmetadata]]></url>
    <url type="testkey">https://{{host}}/testkey</url>

  1. Lastly, in your nginx.conf you didnt include any listening section for Port 443. Not sure how you are referencing your certificate, but here is a snippet of my configuration file that should give you some help
server {
    listen 80;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;

    location / {
        return 301 https://$host$request_uri;

server {
    listen 443 ssl;

    # access_log off;
    # error_log off;
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # serve static files directly
    location /static/ {
        root /volumes;
        rewrite ^/static/config/(.*)$ /specify6/config/$1 break;
        rewrite ^/static/depository/(.*)$ /static-files/depository/$1 break;
        rewrite ^/static/(.*)$ /static-files/frontend-static/$1 break;

    # proxy these urls to the asset server
    location ~ ^/(fileget|fileupload|filedelete|getmetadata|testkey|web_asset_store.xml) {
        client_max_body_size 0;
        resolver valid=30s;
        set $backend "http://asset-server:8080";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # proxy everything else to specify 7
    location / {
        resolver valid=30s;
        set $backend "http://specify7:8000";
        proxy_pass $backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


Shout if you still struggling and i can assist in bundling letsencrypt for automatic certificate handling.