ZIA Tunnel 2.0 troubleshoot
This part deal about the Internet acces Tunnel 2.0 Evenif it's a better solution than the previous versions, better capability, improve security,etc... But the biggest pain point today is to manage the SSL Inspection
SSL Inspection - Information
First let's consider the following doc: Adding certificat to application specific trust store Adding certificat to application specific trust store
Non exhaustive list provide from Zscaler
SSL Inspection - Adding Zscaler Certificate
Zscaler tunnel 2.0 break the SSL connection, so you should add the Zscaler Certificate to your system. Let's detail some case
NPM
Example of errors:
NPM:
% npm install
npm ERR! code UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! errno UNABLE_TO_GET_ISSUER_CERT_LOCALLY
npm ERR! request to https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz failed, reason: unable to get local issuer certificate
warning
Your issue is not related to NPM ? Zscaler provides a full documentation for most developer tools:
More details on: Adding certificat to application specific trust store
How to fix it ?
First download the archive containing Zscaler certificates: Zscaler2.0 Certificat
Then: On Mac OS:
# unarchived the zip
unzip ZscalerRootCerts-Tunnel2.0.zip
# create a dedicated certificate directory in your HOME
mkdir ~/ZscalerRootCerts
# move certificates to your directory
cp ZscalerRootCerts/ZscalerRootCertificate-2048-SHA256.crt ~/ZscalerRootCerts
# update your npm configuration
npm config set cafile /Users/loicjardin/ZscalerRootCerts/ZscalerRootCertificate-2048-SHA256.crt
On Windows:
- You first have to make NPM point to the appropriate repository where the ZsclerRootCerts is located. In my exemple I stored the certificat under C:/Temp/... repository. The second command you see prompt you the location you set up.
warning
I'm using a Windows distribution for this test. In several case some repo are not see as appropriate. Prefer a a repo located in your Local Disque C:
- Now Just test it, and verify if the package are properly downloaded
PIP
Exemple of error code
pip install yasha -U
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))': /simple/yasha/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))': /simple/yasha/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))': /simple/yasha/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))': /simple/yasha/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))': /simple/yasha/
Could not fetch URL https://pypi.org/simple/yasha/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/yasha/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)'))) - skipping
Just as mentioned above. You can fix the error this way:
tip
Make sure you download Zscaler2.0 Certificat and unzip the archive.
- Disable Zscaler Internet Security to run the following command then re-enable after Step 4.
- Install the certifi package using the following command:
pip install certifi | pip install --upgrade certifi
- Check for the certificate’s location, python -m certifi
- Update the cacert.pem with Zscaler certificate using the following command:
cat ZscalerRootCertificate-2048-SHA256.crt >> $(python -m certifi)
You can also set the PIP config global certificate using the following command:
pip config set global.cert $(python -m certifi)
- Re-enable Zscaler Internet Security. Pip should now be able to pull/install it's packages.
pip install yasha -U
Requirement already satisfied: yasha in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (5.0)
Requirement already satisfied: Click in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from yasha) (8.1.3)
Requirement already satisfied: Jinja2>=2.11 in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from yasha) (3.1.2)
Requirement already satisfied: pytoml in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from yasha) (0.1.21)
Requirement already satisfied: pyyaml in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from yasha) (6.0)
Requirement already satisfied: xmltodict in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from yasha) (0.13.0)
Requirement already satisfied: MarkupSafe>=2.0 in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from Jinja2>=2.11->yasha) (2.1.1)
Requirement already satisfied: importlib-metadata in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from Click->yasha) (4.12.0)
Requirement already satisfied: zipp>=0.5 in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from importlib-metadata->Click->yasha) (3.8.1)
Requirement already satisfied: typing-extensions>=3.6.4 in /Users/richardbonnette/.pyenv/versions/3.7.12/lib/python3.7/site-packages (from importlib-metadata->Click->yasha) (4.3.0)