Using non-standard certificates

Using conda behind a firewall may require using a non-standard set of certificates, which requires custom settings.

If you are using a non-standard set of certificates, then the requests package requires the setting of REQUESTS_CA_BUNDLE. If you receive an error with self-signed certifications, you may consider unsetting REQUESTS_CA_BUNDLE as well as CURL_CA_BUNDLE and disabling SSL verification to create a conda environment over HTTP.

You may need to set the conda environment to use the root certificate provided by your company rather than conda’s generic ones.

One workflow to resolve this on macOS is:

  • Open Chrome, got to any website, click on the lock icon on the left of the URL. Click on «Certificate» on the dropdown. In the next window you see a stack of certificates. The uppermost (aka top line in window) is the root certificate (e.g. Zscaler Root CA).

  • Open macOS keychain, click on «Certificates» and choose among the many certificates the root certificate that you just identified. Export this to any folder of your choosing.

  • Convert this certificate with OpenSSL: openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem

  • For a quick check, set your shell to acknowledge the certificate: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem

  • To set this permanently, open your shell profile (.bshrs or e.g. .zshrc) and add this line: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem. Now exit your terminal/shell and reopen. Check again.