CondaSSLError: Encountered an SSL error. Most likely a certificate verification issue

Maybe I am not following the docs clearly enough or maybe this is a Conda permission issue but upon running conda env update -f environment.yml in my bristlemouth conda environment (I’m following the ENV_SETUP.md document in the bm_protocol github) I get this error message:

(bristlemouth) > $ conda env update -f environment.yml             [±develop ✓]
Collecting package metadata (repodata.json): failed

CondaSSLError: Encountered an SSL error. Most likely a certificate verification issue.

Exception: HTTPSConnectionPool(host='conda.anaconda.org', port=443): Max retries exceeded with url: /sofar_fw/osx-64/repodata.json (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')))

I would expect that I do not have a certificate to access this repodata.json file, but why is it required for an open source repository?

Hey @jradema! Welcome! Sorry to hear you’re having trouble getting started.

This looks really similar to an issue someone posted in conda itself:

Try running this quick test in your terminal and reply here with the output:

curl -v https://conda.anaconda.org/sofar_fw/osx-64/repodata.json

It’s a public file with a valid certificate, but if you’re on a managed network, your local admins might be blocking things. Let us know whether curl can see the json file.

Hi zach, thanks for the help. I tried curl and it is able to successfully connect (I can also view the file in my browser). I’m not sure why conda-env update is raising an SSL error. Here is the curl output:

*   Trying 104.17.92.24:443...
* Connected to conda.anaconda.org (104.17.92.24) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=anaconda.org
*  start date: Aug  4 00:57:35 2023 GMT
*  expire date: Aug 18 00:57:35 2023 GMT
*  subjectAltName: host "conda.anaconda.org" matched cert's "*.anaconda.org"
*  issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscalergov.net) (t)
*  SSL certificate verify ok.
* using HTTP/1.x
> GET /sofar_fw/osx-64/repodata.json HTTP/1.1
> Host: conda.anaconda.org
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 04 Aug 2023 17:47:45 GMT
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< CF-Ray: 7f18a09b0ac12022-IAD
< CF-Cache-Status: DYNAMIC
< Cache-Control: must-revalidate
< Last-Modified: Wed, 07 Jun 2023 20:20:53 GMT
< Strict-Transport-Security: max-age=31536000
< Conda-File-Cache: hit
< Set-Cookie: __cf_bm=nN4muJMCaj_vxxL8vn098dXKBi4suohAEXksVZUVta4-1691171265-0-AY52EIJpkTNMsRuWimZTPgOMyyuY97zRGA1FsNoUrK9/0gSAFYIx7VFBfnr3UCigRVjPfRTDIK8BZ/r/ck1DzPG/iiQIQgfetMMHubk2zdds; path=/; expires=Fri, 04-Aug-23 18:17:45 GMT; domain=.anaconda.org; HttpOnly; Secure; SameSite=None
< Server: cloudflare
<
* Connection #0 to host conda.anaconda.org left intac

Do you see the json after the “Connection #0 to host conda.anaconda.org left intact”?

The differences I see from my own curl invocation are:

• I see ALPN: server accepted h2 but you see ALPN: server did not agree on a protocol. Uses default. which then goes with HTTP 1.1 instead of HTTP 2. Shouldn’t matter, but it’s a signal something’s different.
• I see the certificate issuer as Cloudflare, but you see Zscaler (a cybersecurity company). That’s another sign of some system in the middle that could be blocking conda.

If it’s an option for you, my best advice is to run the conda env update from another network, either by moving your computer (if it’s a laptop) to home or elsewhere, or else through a VPN or other proxy.

If those aren’t options, you may have to talk to local IT folks.

Sorry, i forgot to attach the JSON but yes I do receive that after that line. And yes I do logon to my company’s network through zscaler so that might have something to do with it. I can reach out to them for some help.

Hi there, y’all! Just doing a little custodian duty and moved this over to Dev Kit Support! I hope you don’t mind.

Thx Z