Cursor shows the error message: SSL: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate [internal]

Where does the bug appear (feature/product)?

Cursor CLI

Describe the Bug

Cursor shows the error message: SSL: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate [internal].

Steps to Reproduce

Whenever I type in AZ Login to either PowerShell or Git Bash cursor shows the error message: SSL: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate [internal].
I have tried to debug this by making sure both Azure and Cursor are updated with the paths updated but nothing seems to be working. This issue does not occur in Visual Studio Code.

Expected Behavior

Whenever I typed az login previously (a week ago or so) it worked but all of sudden it stopped working.

Screenshots / Screen Recordings

Operating System

Windows 10/11

Version Information

Cursor IDE Version: 3.3.30

Does this stop you from using Cursor

Yes - Cursor is unusable

Hey, from the screenshot it looks like the error is coming from az login itself, from Python _ssl.c, not from Cursor. That means Azure CLI can’t verify the certificate when connecting to Azure. Cursor is just hosting the terminal.

This is a common sign of a corporate TLS-inspecting proxy like Zscaler, Netskope, an LG proxy, etc. It rebuilds HTTPS using an internal CA. Azure CLI uses Python’s certifi bundle and doesn’t know about your corporate CA.

Since it works in VS Code, it’s very likely VS Code has some environment variables set that Cursor didn’t pick up. Can you check:

1. In VS Code, open settings.json Ctrl+Shift+P then Preferences: Open User Settings (JSON) and look for terminal.integrated.env.windows or mentions of REQUESTS_CA_BUNDLE or NODE_EXTRA_CA_CERTS. If you find them, copy the same values into Cursor settings.json.
2. In both terminals, VS Code and Cursor, run and compare:

   echo $env:REQUESTS_CA_BUNDLE
   echo $env:CURL_CA_BUNDLE
   echo $env:HTTPS_PROXY
   

3. If those variables are empty in VS Code and it still works, it might be different az CLI versions or different Python environments. Run where az in both terminals. Cursor might be picking up a different az.cmd.

The standard fix for corporate proxies is to get the corporate CA PEM file from IT and set it system-wide:

setx REQUESTS_CA_BUNDLE "C:\path\to\corporate-ca.pem"

Then restart Cursor.

If none of that helps, share the output of az login --debug with tokens and tenant info redacted. It will show which exact URL Python fails on.

Unfortunately, it did not work, but I have found a temporary work around, as I am an individual working on projects rather than a corporate environment.

I think, you should checkout these first: Wrong system clock, Self-signed certificate, Python/OpenSSL mismatch and if issue still occurs, checkout the technical solution. This might be helpful, https://cheapsslweb.com/blog/ssl-certificate-verify-failed-error-in-python/

Glad you found a workaround. If you can, please share here what exactly helped. It might be useful for a user with a similar issue.

A couple of thoughts on why it could suddenly break outside the corporate network:

• A local antivirus or security suite with TLS/HTTPS inspection Kaspersky, BitDefender, ESET, Avast, etc. It signs traffic with its own CA, and Python certifi doesn’t know it. VS Code might pick up system CAs via its settings, but Azure CLI its own Python build might not.
• An update to Azure CLI or its Python. Try az upgrade or reinstall Azure CLI using the MSI from the Microsoft website. Azure CLI ships with its own Python, and its certifi can sometimes lag behind.
• The screenshot name LGDisplayExtension hints at LG software. If your laptop has an OEM bundle with a security component, it’s worth checking if it’s doing TLS inspection.

About the advice above on system time: it’s still worth checking, but when time is off you usually get a different error certificate has expired or not yet valid, not unable to get local issuer certificate.