SSL/TLS Inspection breaks python pip

With SSL/TLS inspection being utilized, I'm unable to install any python packages using pip. Here is the python error:

Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))) - skipping

Usually I can just add the domain to the Local TLS Exclusion List but when I add pypi.org, I still get the error. It's not until I completely bypass or disable the SSL/TLS inspection rule that it works.

Parents Reply
  • The issue with python pip is that python does not use the operating system's store of trusted CAs but has its own set.

    For pip, there is a command-line option --cert <CA file> that allows you to specify a different CA. You should be able to use this option to point pip to the CA file for the appliance.

    Of course, the other option is to exclude the pip servers (domain pypi.org) from decryption by adding the domain to the Local Exclusions URL group.

Children