使用非标准证书#

Using non-standard certificates

在防火墙后使用 conda 可能需要使用一组非标准的证书,这通常需要自定义设置。

如果你使用的是一组非标准的证书,那么 requests 包需要设置 REQUESTS_CA_BUNDLE。 如果你遇到自签名证书相关的错误,可以尝试取消设置 REQUESTS_CA_BUNDLE 以及 CURL_CA_BUNDLE, 并参考 禁用 SSL 验证 以便通过 HTTP 创建 conda 环境。

你可能还需要将 conda 的证书替换为公司提供的根证书。

以下是在 macOS 上的一种解决流程:

  • 打开 Chrome,访问任意网站,点击网址左侧的锁形图标。 在下拉菜单中点击「证书」。弹出的窗口中会显示一个证书链, 最上方(即窗口中的顶层)是根证书(例如 Zscaler Root CA)。

  • 打开 macOS 钥匙串(Keychain Access),点击「证书」, 从多个证书中找到你刚识别出的根证书。将其导出到任意文件夹。

  • 使用 OpenSSL 转换该证书: openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem

  • 临时测试时,可在 shell 中设置环境变量: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem

  • 如需永久设置,请编辑你的 shell 配置文件(如 .bashrc.zshrc),添加以下行: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem 然后退出终端并重新打开,再次验证。

Using conda behind a firewall may require using a non-standard set of certificates, which requires custom settings.

If you are using a non-standard set of certificates, then the requests package requires the setting of REQUESTS_CA_BUNDLE. If you receive an error with self-signed certifications, you may consider unsetting REQUESTS_CA_BUNDLE as well as CURL_CA_BUNDLE and disabling SSL verification to create a conda environment over HTTP.

You may need to set the conda environment to use the root certificate provided by your company rather than conda’s generic ones.

One workflow to resolve this on macOS is:

  • Open Chrome, got to any website, click on the lock icon on the left of the URL. Click on «Certificate» on the dropdown. In the next window you see a stack of certificates. The uppermost (aka top line in window) is the root certificate (e.g. Zscaler Root CA).

  • Open macOS keychain, click on «Certificates» and choose among the many certificates the root certificate that you just identified. Export this to any folder of your choosing.

  • Convert this certificate with OpenSSL: openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem

  • For a quick check, set your shell to acknowledge the certificate: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem

  • To set this permanently, open your shell profile (e.g. .bashrc or .zshrc) and add this line: export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem. Now exit your terminal/shell and reopen. Check again.