Bug description
I am using Helm chart version 0.15.0 to deploy Superset version 5.0.0 and am encountering the following error:
2025-08-11 08:42:56,797:ERROR:flask_appbuilder.security.views:Error authorizing OAuth access token: HTTPSConnectionPool(host='zitadel.**.devops.*.com', port=443): Max retries exceeded with url: /oauth/v2/token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1016)')))
I have placed my certificate in /usr/local/lib/python3.11/site-packages/certifi. Please let me know if there are any changes required in the certificate path for the OIDC setup.
Screenshots/recordings
No response
Superset version
5.0.0
Python version
3.11
Node version
18 or greater
Browser
Chrome
Additional context
No response
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Placing your certificate in /usr/local/lib/python3.11/site-packages/certifi does not make it trusted by Python’s requests library unless you rebuild the certifi bundle, which is not recommended or reliable in containerized deployments. The supported way to add a custom CA for outbound HTTPS (including OIDC/OAuth) in Superset is to mount your CA bundle into the container and set the REQUESTS_CA_BUNDLE environment variable to its path. This tells Python requests to use your CA for SSL verification.
In a Helm/Kubernetes deployment, you should:
1. Mount your custom CA bundle (e.g., as a Kubernetes Secret or ConfigMap) into the Superset container, for example at /etc/ssl/certs/my-ca-bundle.crt.
2. Set the REQUESTS_CA_BUNDLE environment variable in your Helm values to point to that file.
Example Helm values override:
extraEnv:
- name: REQUESTS_CA_BUNDLE
value: /etc/ssl/certs/my-ca-bundle.crt
extraVolumes:
- name: custom-ca
secret:
secretName: my-custom-ca-secret
extraVolumeMounts:
- name: custom-ca
mountPath: /etc/ssl/certs/my-ca-bundle.crt
subPath: my-ca-bundle.crt
readOnly: true
This approach is necessary because Superset delegates SSL verification to Python requests, which only honors the REQUESTS_CA_BUNDLE variable for custom trust stores—there is no Superset-specific config for this use case.
If you still see SSL errors after this, check for DNS issues inside the pod (sometimes /etc/resolv.conf is misconfigured in Kubernetes and can cause misleading SSL errors) source.
Let me know if you need a more detailed example for your Helm chart or have questions about mounting the CA bundle.
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
