Conda SSL Errror
Question:
I’m wondering if someone has encountered this issue before. I’m trying to install a python library for a work project. I was able to install the library with pip, but I actually need it in the Conda Environment, as this is the environment I use for my jupyter notebook projects.
Unfortunately, I’m getting the following error upon conda install:
"CondaSSLError: Encountered an SSL error. Most likely a certificate verification issue.
Exception: HTTPSConnectionPool(host=’repo.anaconda.com’, port=443): Max retries exceeded with url: /pkgs/main/win-64/current_repodata.json (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain . . . "
My assumption is that our firewall is prohibiting the installation. I don’t want to turn off SSL verification due to security concerns. Would the solution be to have our network team whitelist the URL? I really don’t want to change the environment in Jupyter Notebook.
Anyone experienced this before?
Answers:
This is not a conda problem but a common python SSL certificate error which is common in other modules such as python requests.
Most chances that you firewall works as a man in the middle and intercept the request and later re-sign the request with it’s own certificate.
Python doesn’t use the system certificate store, but uses certifi instead which uses it’s own set of certificate (which obviously your company certificate is not included).
For macos run the following (but it is best to run this in a virtual env and not polute the main certifi file)
ca_bundle_path = Path(certifi.where())
cmd_args = ('security', 'find-certificate', '-a', '-p', KEYCHAIN_TYPES[key_chain_type])
system_certs = run_command(cmd_args, is_store_stdout_as_pipe=True).stdout.decode()
ca_bundle_data = ca_bundle_path.read_text(encoding='utf-8')
if system_certs in ca_bundle_data:
return
ca_bundle_path.write_text(f'{ca_bundle_data}{os.linesep}{system_certs}', encoding='utf-8')
key_chain_type can be anything from:
KEYCHAIN_TYPES = {
'root': '/System/Library/Keychains/SystemRootCertificates.keychain',
'system': '/Library/Keychains/System.keychain',
'user': f'{str(Path.home())}/Library/Keychains/login.keychain-db'
}
For windows (not tested):
pem_certs = []
# Enumerate certificates from the specified Windows certificate store
for cert, encoding, trust in ssl.enum_certificates(store_name):
# CA certs are never PKCS#7 encoded
if encoding == "x509_asn":
# If the certificate is trusted, convert it to PEM format
if trust is True:
x509_cert = x509.load_der_x509_certificate(cert, default_backend())
pem_cert = x509_cert.public_bytes(encoding=x509.Encoding.PEM)
pem_certs.append(pem_cert.decode())
ca_bundle_path = Path(certifi.where())
for cert in pem_certs:
.... add the certs as we do in the macos example
store name can be ‘ROOT’/’MY’/’CA’
I’m wondering if someone has encountered this issue before. I’m trying to install a python library for a work project. I was able to install the library with pip, but I actually need it in the Conda Environment, as this is the environment I use for my jupyter notebook projects.
Unfortunately, I’m getting the following error upon conda install:
"CondaSSLError: Encountered an SSL error. Most likely a certificate verification issue.
Exception: HTTPSConnectionPool(host=’repo.anaconda.com’, port=443): Max retries exceeded with url: /pkgs/main/win-64/current_repodata.json (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain . . . "
My assumption is that our firewall is prohibiting the installation. I don’t want to turn off SSL verification due to security concerns. Would the solution be to have our network team whitelist the URL? I really don’t want to change the environment in Jupyter Notebook.
Anyone experienced this before?
This is not a conda problem but a common python SSL certificate error which is common in other modules such as python requests.
Most chances that you firewall works as a man in the middle and intercept the request and later re-sign the request with it’s own certificate.
Python doesn’t use the system certificate store, but uses certifi instead which uses it’s own set of certificate (which obviously your company certificate is not included).
For macos run the following (but it is best to run this in a virtual env and not polute the main certifi file)
ca_bundle_path = Path(certifi.where())
cmd_args = ('security', 'find-certificate', '-a', '-p', KEYCHAIN_TYPES[key_chain_type])
system_certs = run_command(cmd_args, is_store_stdout_as_pipe=True).stdout.decode()
ca_bundle_data = ca_bundle_path.read_text(encoding='utf-8')
if system_certs in ca_bundle_data:
return
ca_bundle_path.write_text(f'{ca_bundle_data}{os.linesep}{system_certs}', encoding='utf-8')
key_chain_type can be anything from:
KEYCHAIN_TYPES = {
'root': '/System/Library/Keychains/SystemRootCertificates.keychain',
'system': '/Library/Keychains/System.keychain',
'user': f'{str(Path.home())}/Library/Keychains/login.keychain-db'
}
For windows (not tested):
pem_certs = []
# Enumerate certificates from the specified Windows certificate store
for cert, encoding, trust in ssl.enum_certificates(store_name):
# CA certs are never PKCS#7 encoded
if encoding == "x509_asn":
# If the certificate is trusted, convert it to PEM format
if trust is True:
x509_cert = x509.load_der_x509_certificate(cert, default_backend())
pem_cert = x509_cert.public_bytes(encoding=x509.Encoding.PEM)
pem_certs.append(pem_cert.decode())
ca_bundle_path = Path(certifi.where())
for cert in pem_certs:
.... add the certs as we do in the macos example
store name can be ‘ROOT’/’MY’/’CA’