Installing Zscaler Certificate to Anaconda3

Question

After the obligatory installation of Zscaler through out the Company my Anaconda started giving me the SSL verification Error while installing modules and using requests to get the urls

Error(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))': /simple/'some_module'/

SSLError: HTTPSConnectionPool(host='www.amazon.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

With Zscaler being turned off it all works great, but the company policy does not allow that.....

I found some bypasses like setting verify to False but it is not what I want.

I would like to install the Zscaler certificate (which was provided to me by our IT department) to Anaconda

Now the problem seems to be that it uses conda’s generic certificates.

import ssl
print(ssl.get_default_verify_paths())

Output : DefaultVerifyPaths(cafile=None, capath=None, openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='C:\ci\openssl_1581353098519\_h_env\Library/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='C:\ci\openssl_1581353098519\_h_env\Library/certs')

Any idea what could I possibly do to point conda to the Zscaler certificate that I have??

system inf: Windows 10, Anaconda3 -2020.02, Python 3.7

Thanks a lot in advance

Answer 1

What you can do is :

1. Open a browser and go to www.google.com
2. Next to the reload page button, you will see a lock (see picture below). click on it
3. Click on : Certificat
4. Click on the tab: Certification Path
5. Select Zsclaer Root CA5 and the click on View Certificat button
6. Click on the tab: Details and then click on Copy to file button
7. Export the certificat choosing the base-64 encoded X.509 (.CER)
8. Choose a path where to save the file
9. Open Anaconda Prompt
10. conda config -set ssl_verify path_of_the_file_that_you_just_saved

Answer 2

background

I had this same issue, but ran into a similar with my work laptop except where Zscaler blocked my curl, git, and anaconda traffic. The temporary fix was to disable ssl verification, but this introduces a number of security vulnerabilities such as man-in-the-middle attacks.

From what I could gather and my limited research, WSL2 doesn't have a automatic way of importing ssl certificates from the system. https://github.com/microsoft/WSL/issues/5134

Solution

The long term solution is to get the Zscaler certificate and add it to your shell file. Run the following commands in WSL after getting the certificate and navigating to the directory.

echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.bashrc

which I got from https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trusted-store#curl-SSL_CERT_FILE They have more commands for other applications

If you use any other shells, make sure to change .bashrc to the directory of the configuration of that file. In my case I use fish, so I replaced $HOME/.bashrc with $HOME/.config/fish/config.fish

echo "export SSL_CERT_FILE=<Path to Certificate>/ZscalerRootCA.pem" >> $HOME/.config/fish/config.fish

After adding the certificate, make sure to reload the shell. In my case, I ran using instructions from jeffmcneil

source ~/.config/fish/config.fish

for bash, you would want to run source ~/.bashrc or

. ~/.bashrc

from https://stackoverflow.com/a/2518150/16150356