SSL/TLS Inspection breaks python pip

With SSL/TLS inspection being utilized, I'm unable to install any python packages using pip. Here is the python error:

Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))) - skipping

Usually I can just add the domain to the Local TLS Exclusion List but when I add pypi.org, I still get the error. It's not until I completely bypass or disable the SSL/TLS inspection rule that it works.

Parents Reply
  • I found that if I wanted to exclude pip traffic, instead of providing the CA at the command line, there are more URLs/domains that need to be excluded. It looks like pypi.org is just the initial database queries, but actual file downloads are hosted on other domains.

    files.pythonhosted.org is one. I don't know if this is the same for all packages, or whether it varies from one package to another.

    I found this out by looking in the SSL/TLS log for other connections from the same client IP immediately following the initial connection to pypi.org.

Children
No Data