Add certifi fallback for SSL certificate issues

monolith-jaehoon · monolith-jaehoon · commit d457221c3de0 · 2025-08-30T15:30:28.000+09:00
Using Claude 4 Sonnet
diff --git a/requirements/optional.txt b/requirements/optional.txt
@@ -14,3 +14,5 @@ SQLAlchemy>=1.4,<3
 # websockets 9 is not compatible with Python 3.10
 websockets>=9.1,<16
 websocket-client>=1,<2
+# SSL certificate bundle for certificate verification issues
+certifi
diff --git a/slack_sdk/web/async_base_client.py b/slack_sdk/web/async_base_client.py
@@ -18,6 +18,7 @@
     _get_url,
     get_user_agent,
 )
+from .ssl_utils import create_ssl_context_with_certifi_fallback
 from ..proxy_env_variable_loader import load_http_proxy_from_env
 
 from slack_sdk.http_retry.builtin_async_handlers import async_default_handlers
@@ -55,7 +56,7 @@ def __init__(
         """The maximum number of seconds the client will wait
         to connect and receive a response from Slack.
         Default is 30 seconds."""
-        self.ssl = ssl
+        self.ssl = create_ssl_context_with_certifi_fallback(ssl)
         """An [`ssl.SSLContext`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext)
         instance, helpful for specifying your own custom
         certificate chain."""
diff --git a/slack_sdk/web/base_client.py b/slack_sdk/web/base_client.py
@@ -29,6 +29,7 @@
     _build_unexpected_body_error_message,
     _upload_file_via_v2_url,
 )
+from .ssl_utils import create_ssl_context_with_certifi_fallback
 from .slack_response import SlackResponse
 from slack_sdk.http_retry import default_retry_handlers
 from slack_sdk.http_retry.handler import RetryHandler
@@ -67,7 +68,7 @@ def __init__(
         """The maximum number of seconds the client will wait
         to connect and receive a response from Slack.
         Default is 30 seconds."""
-        self.ssl = ssl
+        self.ssl = create_ssl_context_with_certifi_fallback(ssl)
         """An [`ssl.SSLContext`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext)
         instance, helpful for specifying your own custom
         certificate chain."""
diff --git a/slack_sdk/web/ssl_utils.py b/slack_sdk/web/ssl_utils.py
@@ -0,0 +1,34 @@
+import os
+import ssl
+from ssl import SSLContext
+from typing import Optional
+
+
+def has_ssl_env_vars() -> bool:
+    """Check if SSL-related environment variables are set"""
+    ssl_env_vars = ["SSL_CERT_FILE", "SSL_CERT_DIR", "REQUESTS_CA_BUNDLE", "CURL_CA_BUNDLE"]
+    return any(os.environ.get(var) for var in ssl_env_vars)
+
+
+def create_ssl_context_with_certifi_fallback(custom_ssl: Optional[SSLContext] = None) -> Optional[SSLContext]:
+    """Create SSL context with certifi fallback for certificate issues
+
+    Priority:
+    1. If custom_ssl is provided or SSL env vars are set -> return custom_ssl
+    2. If certifi is available -> use certifi's certificate bundle
+    3. Otherwise -> return custom_ssl (usually None)
+
+    This helps resolve SSL certificate issues on Windows by using certifi's
+    curated certificate bundle when no explicit SSL configuration is provided.
+    """
+    # Use custom_ssl if provided, or respect SSL environment variables
+    if custom_ssl is not None or has_ssl_env_vars():
+        return custom_ssl
+
+    # Fall back to certifi if available (helps with Windows SSL issues)
+    try:
+        import certifi
+
+        return ssl.create_default_context(cafile=certifi.where())
+    except ImportError:
+        return custom_ssl
