The Fix
This isn't an issue with Requests, likely only can be fixed in Certifi itself.
Based on closed psf/requests issue #5831
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
repro.py
import requests
thread = None
stop_sync = False
def prooftoken_thread():
while not stop_sync:
with lock:
print("sync")
response = requests.get(PROOFTOKEN_URL, allow_redirects=True, cert=("./secrets/certificate", "./secrets/key"))
print(response.json())
time.sleep(10)
if __name__ == '__main__':
if PROOFTOKEN_URL:
print("start proof token sync job with URL: {}".format(PROOFTOKEN_URL))
###################################
# remove this line and the thread will fail
response = requests.get(PROOFTOKEN_URL, allow_redirects=True, cert=("./secrets/certificate", "./secrets/key"))
###################################
thread = threading.Thread(target=prooftoken_thread, daemon=True)
thread.start()
else:
print("No 'prooftoken_url' found. Running in 'app-only' mode.")
print("AuthZ Server Up and running")
app.run(host='0.0.0.0', port=8080, debug=False, threaded=False)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Apply the official fix\nThis isn't an issue with Requests, likely only can be fixed in Certifi itself.\nWhen NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.\n\n
Why This Fix Works in Production
- Trigger: Exception in thread Thread-2:
- Mechanism: This isn't an issue with Requests, likely only can be fixed in Certifi itself.
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- Shows up under Python 3.8 in real deployments (not just unit tests).
- Surfaces as: Exception in thread Thread-2:
Proof / Evidence
- GitHub issue: #5831
- Reproduced locally: No (not executed)
- Last verified: 2026-02-04
- Confidence: 0.00
- Did this fix it?: No (no upstream fix linked)
- Own content ratio: 0.32
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“This isn't an issue with Requests, likely only can be fixed in Certifi itself.”
“I get errors in the thread until I *init* the certifi lib in the main thread. After the call of the statement above the errors…”
Failure Signature (Search String)
- Exception in thread Thread-2:
Error Message
Stack trace
error.txt
Error Message
-------------
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
conn = connection.create_connection(
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
conn = self._new_conn()
File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7fa17cce1f10>: Failed to establish a new connection: [Errno 111] Con
... (truncated) ...
Minimal Reproduction
repro.py
import requests
thread = None
stop_sync = False
def prooftoken_thread():
while not stop_sync:
with lock:
print("sync")
response = requests.get(PROOFTOKEN_URL, allow_redirects=True, cert=("./secrets/certificate", "./secrets/key"))
print(response.json())
time.sleep(10)
if __name__ == '__main__':
if PROOFTOKEN_URL:
print("start proof token sync job with URL: {}".format(PROOFTOKEN_URL))
###################################
# remove this line and the thread will fail
response = requests.get(PROOFTOKEN_URL, allow_redirects=True, cert=("./secrets/certificate", "./secrets/key"))
###################################
thread = threading.Thread(target=prooftoken_thread, daemon=True)
thread.start()
else:
print("No 'prooftoken_url' found. Running in 'app-only' mode.")
print("AuthZ Server Up and running")
app.run(host='0.0.0.0', port=8080, debug=False, threaded=False)
Environment
- Python: 3.8
Fix Options (Details)
Option A — Apply the official fix
This isn't an issue with Requests, likely only can be fixed in Certifi itself.
When NOT to use: Do not use if it changes public behavior or if the failure cannot be reproduced.
Option D — Guard side-effects with OnceOnly Guardrail for side-effects
Mitigate duplicate external side-effects under retries/timeouts/agent loops by gating the operation before calling external systems.
- Place OnceOnly between your code/agent and real side-effects (Stripe, emails, CRM, APIs).
- Use a stable key per side-effect (e.g., customer_id + action + idempotency_key).
- Fail-safe: configure fail-open vs fail-closed based on blast radius and spend risk.
Show example snippet (optional)
onceonly.py
from onceonly import OnceOnly
import os
once = OnceOnly(api_key=os.environ["ONCEONLY_API_KEY"], fail_open=True)
# Stable idempotency key per real side-effect.
# Use a request id / job id / webhook delivery id / Stripe event id, etc.
event_id = "evt_..." # replace
key = f"stripe:webhook:{event_id}"
res = once.check_lock(key=key, ttl=3600)
if res.duplicate:
return {"status": "already_processed"}
# Safe to execute the side-effect exactly once.
handle_event(event_id)
When NOT to use: Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Fix reference: https://github.com/psf/requests/issues/5831
When NOT to Use This Fix
- Do not use if it changes public behavior or if the failure cannot be reproduced.
- Do not use this to hide logic bugs or data corruption. Use it to block duplicate external side-effects and enforce tool permissions/spend caps.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
- Track RSS + object counts after deployments; alert on monotonic growth and GC pressure.
- Add a long-running test that repeats the failing call path and asserts stable memory.
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.