The Fix
pip install urllib3==1.26.7
Based on closed urllib3/urllib3 issue #2338 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -202,6 +202,7 @@ def _cert_array_from_pem(pem_bundle: bytes) -> CFArray:
# should free.
CoreFoundation.CFRelease(cert_array)
+ raise
return cert_array
Option A — Upgrade to fixed release\npip install urllib3==1.26.7\nWhen NOT to use: This fix should not be used if the error handling logic needs to be different.\n\n
Why This Fix Works in Production
- Trigger: Possible bug in securetransport _cert_array_from_pem() error handling
- Mechanism: The error handling in _cert_array_from_pem() was missing a raise statement after freeing the certificate array
- Why the fix works: Fixes a bug in the error handling of the _cert_array_from_pem function by adding a raise statement after freeing the certificate array. (first fixed release: 1.26.7).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The error handling in _cert_array_from_pem() was missing a raise statement after freeing the certificate array
- Production symptom (often without a traceback): Possible bug in securetransport _cert_array_from_pem() error handling
Proof / Evidence
- GitHub issue: #2338
- Fix PR: https://github.com/urllib3/urllib3/pull/2342
- First fixed release: 1.26.7
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.95
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.75
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Ahh, I think we're missing raise in there to re-reaise the exception raised in the try-block. Good catch”
Failure Signature (Search String)
- Possible bug in securetransport _cert_array_from_pem() error handling
- Ahh, I think we're missing `raise` in there to re-reaise the exception raised in the `try`-block. Good catch
Copy-friendly signature
Failure Signature
-----------------
Possible bug in securetransport _cert_array_from_pem() error handling
Ahh, I think we're missing `raise` in there to re-reaise the exception raised in the `try`-block. Good catch
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Possible bug in securetransport _cert_array_from_pem() error handling
Ahh, I think we're missing `raise` in there to re-reaise the exception raised in the `try`-block. Good catch
What Broke
The function could fail silently without raising an exception, leading to unexpected behavior.
Why It Broke
The error handling in _cert_array_from_pem() was missing a raise statement after freeing the certificate array
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==1.26.7
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/2342
First fixed release: 1.26.7
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the error handling logic needs to be different.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
Version Compatibility Table
| Version | Status |
|---|---|
| 1.26.7 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.