Conda SSL errors with self-signed certs

[erip]

I am using Anaconda behind a firewall. My setup was fine until I recently patched my Mac (Security update 2018-002). After patching, I encountered SSL errors. I had set ssl_verify to the path of my corporate root cert, but was experiencing SSL errors. As a sanity check, I decided to disable ssl verification; to my surprise, I still ran into SSL errors:

~ ⌚ 8:54:57
$ conda config --show | grep ssl_verify
ssl_verify: False

~ ⌚ 8:55:02
$ conda update requests
Solving environment: failed

CondaHTTPError: HTTP 000 CONNECTION FAILED for url <https://repo.anaconda.com/pkgs/pro/noarch/repodata.json.bz2>
Elapsed: -

An HTTP error occurred when trying to retrieve this URL.
HTTP errors are often intermittent, and a simple retry will get you on your way.

If your current network has https://www.anaconda.com blocked, please file
a support request with your network engineering team.

SSLError(MaxRetryError('HTTPSConnectionPool(host=\'repo.anaconda.com\', port=443): Max retries exceeded with url: /pkgs/pro/noarch/repodata.json.bz2 (Caused by SSLError(SSLError("bad handshake: Error([(\'SSL routines\', \'ssl3_get_server_certificate\', \'certificate verify failed\')])")))'))

I have tried completely reinstalling anaconda, I have removed my system python3 installation, I've added and removed my proxy settings from my ~/.condarc and I always encounter the same SSL errors. I've even appended our root cert to the certifi bundle. As a brute force measure, I appended our root cert to every file in ~/anaconda3 which matches cacert* and *.pem.

Interestingly, after appending the root cert to the certifi bundle, I see this:

$ ~/anaconda3/bin/python3
Python 3.7.0 (default, Jun 28 2018, 07:39:16)
[Clang 4.0.1 (tags/RELEASE_401/final)] :: Anaconda, Inc. on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.google.com")
<Response [200]>
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> # the following request will hang and error with max retries
>>> r = http.request('GET', "https://www.google.com")

I'm using conda 4.5.11 with OS X 10.13.6.

[emmet02]

I was posting a lengthy reply about how I am facing the exact same issue on Windows, but in trying "everything" I have discovered a workaround for me that might be of assistance?

We previously set an environmental variable REQUESTS_CA_BUNDLE pointing to our certificate to allow for ssl verification.

However, recently that has been failing (giving same errors as you get), and same as your case, even when we set ssl_verify to false in the .condarc file.

However, I've just renamed / deleted the REQUESTS_CA_BUNDLE (_potentially SSL_CERT_DIR / SSL_CERTFILE) environment variable from my setup, and am now able to get responses through conda (_with sslverify false only).

I know this doesn't solve the ssl verification issue, but potentially gives you a workaround?

[erip]

@emmet02 I've confirmed this works. After unsetting $REQUESTS_CA_BUNDLE and disabling SSL verification, I can create a conda env over HTTP.

[suissemaxx]

I faced the similar problem on Mac OS X and with Miniconda. After trying many things for hours I found that I needed to correctly set Condas environment to use the Root certificate that my company provided rather than the generic ones that Conda provides.

Here is how I solved it:

1. Open Chrome, got to any website, click on the lock icon on the left of the URL. Click on «Certificate» on the dropdown. In the next window you see a stack of certificates. The uppermost (aka top line in window) is the root certificate (e.g. Zscaler Root CA in my case, yours will very likely be a different one).
2. Open Mac OS keychain, click on «Certificates» and choose among the many certificates the root certificate that you just identified. Export this to any folder of your choosing.
3. Convert this certificate with openssl: openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem
4. For a quick check set your shell to acknowledge the certificate: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem
5. To set this permanently open your shell profile (.bshrs or e.g. .zshrc) and add this line: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem. Now exit your terminal/shell and reopen. Check again.

You should be set and Conda should work fine.