Installing Zscaler Certificate to Anaconda3
Asked Answered
S

3

8

After the obligatory installation of Zscaler through out the Company my Anaconda started giving me the SSL verification Error while installing modules and using requests to get the urls

Error(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))': /simple/'some_module'/

SSLError: HTTPSConnectionPool(host='www.amazon.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

With Zscaler being turned off it all works great, but the company policy does not allow that.....

I found some bypasses like setting verify to False but it is not what I want.

I would like to install the Zscaler certificate (which was provided to me by our IT department) to Anaconda

Now the problem seems to be that it uses conda’s generic certificates.

import ssl
print(ssl.get_default_verify_paths())

Output : DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\ci\openssl_1581353098519\_h_env\Library/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\ci\openssl_1581353098519\_h_env\Library/certs')

Any idea what could I possibly do to point conda to the Zscaler certificate that I have??

system inf: Windows 10, Anaconda3 -2020.02, Python 3.7

Thanks a lot in advance

Stonybroke answered 6/5, 2020 at 12:40 Comment(1)
Have you seen docs.conda.io/projects/conda/en/latest/user-guide/configuration/… ?Lorie
B
11

What you can do is :

  1. Open a browser and go to www.google.com
  2. Next to the reload page button, you will see a lock (see picture below). click on it
  3. Click on : Certificate
  4. Click on the tab: Certification Path
  5. Select Zscaler Root CA5 and the click on View Certificate button
  6. Click on the tab: Details and then click on Copy to file button
  7. Export the certificate choosing the base-64 encoded X.509 (.CER)
  8. Choose a path where to save the file
  9. Open Anaconda Prompt
  10. conda config --set ssl_verify path_of_the_file_that_you_just_saved

enter image description here

Broeker answered 7/8, 2020 at 16:48 Comment(0)
G
2

background

I had this same issue, but ran into a similar with my work laptop except where Zscaler blocked my curl, git, and anaconda traffic. The temporary fix was to disable ssl verification, but this introduces a number of security vulnerabilities such as man-in-the-middle attacks.

From what I could gather and my limited research, WSL2 doesn't have a automatic way of importing ssl certificates from the system. https://github.com/microsoft/WSL/issues/5134

Solution

The long term solution is to get the Zscaler certificate and add it to your shell file. Run the following commands in WSL after getting the certificate and navigating to the directory.

echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.bashrc

which I got from https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trusted-store#curl-SSL_CERT_FILE They have more commands for other applications

If you use any other shells, make sure to change .bashrc to the directory of the configuration of that file. In my case I use fish, so I replaced $HOME/.bashrc with $HOME/.config/fish/config.fish

echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.config/fish/config.fish

After adding the certificate, make sure to reload the shell. In my case, I ran using instructions from jeffmcneil

source ~/.config/fish/config.fish

for bash, you would want to run source ~/.bashrc or

. ~/.bashrc

from https://mcmap.net/q/20028/-how-to-reload-bashrc-settings-without-logging-out-and-back-in-again

Gothenburg answered 17/2, 2022 at 20:24 Comment(1)
This worked for me. I used it in wsl2 with ubuntu. I got my pem file from adminElectrograph
M
2

Solution for Windows OS

After your Zscaler root cert is installed in the Windows trust root store, just install pip-system-certs the successor to python-certifi-win32 which is no longer maintained. Both packages are available from either pypi or conda-forge, so use either pip, conda, or mamba to install pip-system-certs into every Python environment in which you use the Requests package. The pip-system-certs package patches certifi at runtime to use the Windows trusted root store. This solves the issue for the requests package without resorting to setting $REQUESTS_CA_BUNDLE and/or editing your cacert.pem files.

Solution for Ubuntu

Copy the Zscaler root certificate file, it must have .crt ending and be in PEM format, to /usr/local/share/ca-certificates and use sudo update-ca-certificates to update your /etc/ssl/certs/ca-certificates.crt file. However, even then, pip-system-certs doesn't quite seem to work, so add export $REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to your .profile and restart your shell.

For more information read the following:

WARNING: I do not recommend editing any Python cacert.pem files. Note that they are all linked so editing one edits all, and your mamba/conda solver may complain that your package cache is invalid because the file size changed due to your edits. Look in each environments ssl/ folder including base env, and in the base env's pkgs/ca-certificates-<date> files. On Windows OS, cacert.pem is in Library\ssl instead of ssl/. Finally the cacert.pem file will be overwritten if/when you install or update the Python certifi package, so editing it is really not the ideal solution. A better alternative would be to put your Zscaler root cert in a new ssl/ folder in your home directory and set $REQUESTS_CA_BUNDLE to that location. If your company is using Zscaler, then I think it's the only root cert you need.

Maimaia answered 23/1, 2023 at 7:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.