The Fix
pip install urllib3==2.1.0
Based on closed urllib3/urllib3 issue #3065 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1,3 @@
@@ -0,0 +1,3 @@
+Fixed an issue where it was not possible to pass the ca_cert_data keyword argument in a proxy context when making SSL
+requests. Previously, attempting to pass ca_cert_data in a proxy context would result in an error.
+This issue has been resolved, and users can now pass ca_cert_data when making SSL requests through a proxy context.
Option A — Upgrade to fixed release\npip install urllib3==2.1.0\nWhen NOT to use: This fix should not be used if the application does not require SSL proxy support.\n\n
Why This Fix Works in Production
- Trigger: Cannot pass ssl kwarg cert_data in proxy context
- Mechanism: The ca_cert_data keyword argument was not propagated in the proxy context for SSL requests
- Why the fix works: Added support for the ca_cert_data keyword argument in proxy context, resolving issue #3065. (first fixed release: 2.1.0).
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The ca_cert_data keyword argument was not propagated in the proxy context for SSL requests
- Production symptom (often without a traceback): Cannot pass ssl kwarg cert_data in proxy context
Proof / Evidence
- GitHub issue: #3065
- Fix PR: https://github.com/urllib3/urllib3/pull/3150
- First fixed release: 2.1.0
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.71
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“Discovered that one while writting tls-in-tls http/2 tests in #3030 While we can do we cannot output unexpected kw key_cert_data for pool conn I suspect that we missed propagating required kw. It is an easy fix. should patch SSL_KEYWORDS =”
Failure Signature (Search String)
- Cannot pass ssl kwarg cert_data in proxy context
- Discovered that one while writting tls-in-tls http/2 tests in #3030
Copy-friendly signature
Failure Signature
-----------------
Cannot pass ssl kwarg cert_data in proxy context
Discovered that one while writting tls-in-tls http/2 tests in #3030
Error Message
Signature-only (no traceback captured)
Error Message
-------------
Cannot pass ssl kwarg cert_data in proxy context
Discovered that one while writting tls-in-tls http/2 tests in #3030
What Broke
Users encountered an error when attempting to pass ca_cert_data in a proxy context.
Why It Broke
The ca_cert_data keyword argument was not propagated in the proxy context for SSL requests
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
pip install urllib3==2.1.0
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/urllib3/urllib3/pull/3150
First fixed release: 2.1.0
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- This fix should not be used if the application does not require SSL proxy support.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Add a CI check that diffs key outputs after upgrades (OpenAPI schema snapshots, JSON payload shapes, CLI output).
- Upgrade behind a canary and run integration tests against the canary before 100% rollout.
- Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
- Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
Version Compatibility Table
| Version | Status |
|---|---|
| 2.1.0 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.