Litellm Callback failing with SSL:Certificate_Verify_Failed Error

[baburaj5]

Getting the below SSL Error when adding lanfguse as callback in Litellm. Both the deployments are running under same self hosted K8s Cluster.
Added this environment variable SSL_CERT_FILE: "CA Cert path" but still getting the error.
Looks like the custom CA is not working, is there any other setting/variable to add for the Custom CA Cert.

LiteLLM Version: v1.81.0-stable

{"message": "litellm.proxy.proxy_server.health_services_endpoint(): Exception occured - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1032)", "level": "ERROR", "timestamp": "2026-02-02T07:52:27.252062"}

Could anyone help on this.

[wesleysmyth]

This is a common issue in Kubernetes deployments where internal services use private CA certificates. LiteLLM uses httpx internally for callbacks (including Langfuse), and it needs to trust your private CA chain.

Fix 1: Mount the CA certificate and set env vars

In your K8s deployment:

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
        - name: litellm
          env:
            - name: SSL_CERT_FILE
              value: /etc/ssl/certs/custom-ca-bundle.crt
            - name: REQUESTS_CA_BUNDLE
              value: /etc/ssl/certs/custom-ca-bundle.crt
            - name: CURL_CA_BUNDLE
              value: /etc/ssl/certs/custom-ca-bundle.crt
          volumeMounts:
            - name: ca-certs
              mountPath: /etc/ssl/certs/custom-ca-bundle.crt
              subPath: ca-bundle.crt
              readOnly: true
      volumes:
        - name: ca-certs
          secret:
            secretName: custom-ca-bundle

Create the secret from your CA chain:

kubectl create secret generic custom-ca-bundle \
  --from-file=ca-bundle.crt=/path/to/your/ca-chain.pem

Important: The CA bundle must contain the full chain (root CA + intermediate CAs), not just the root CA.

Fix 2: Disable SSL verification (testing only)

In your LiteLLM config:

# litellm config.yaml
litellm_settings:
  ssl_verify: false

Or via environment variable:

env:
  - name: SSL_VERIFY
    value: "False"

Do NOT use this in production — it disables all certificate verification.

Fix 3: Add your CA to the system trust store in the container

If you control the Docker image:

FROM ghcr.io/berriai/litellm:main-latest
COPY your-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

Fix 4: Langfuse-specific callback URL

If only the Langfuse callback is failing (not the LLM calls themselves), the issue is specifically with httpx connecting to your Langfuse instance. Make sure the Langfuse URL uses the correct hostname that matches the certificate:

environment_variables:
  LANGFUSE_HOST: https://langfuse.internal.company.com  # Must match cert CN/SAN
  LANGFUSE_PUBLIC_KEY: pk-...
  LANGFUSE_SECRET_KEY: sk-...

Debugging

Check which CA the container trusts:

kubectl exec -it <pod> -- python3 -c "import certifi; print(certifi.where())"
kubectl exec -it <pod> -- python3 -c "import ssl; print(ssl.get_default_verify_paths())"

Then verify your certificate chain:

kubectl exec -it <pod> -- openssl s_client -connect langfuse.internal:443 -showcerts

The most common root cause is a missing intermediate certificate in the CA bundle.