Tag: Python

pip Failing with CERTIFICATE_VERIFY_FAILED on macOS? Here’s the Fix for Zscaler, SSL Inspection, and Corporate Firewalls

If you’re developing behind a corporate firewall that uses ZscalerBlue CoatPalo Alto Decryption, or any other SSL-inspecting proxy, you’ve likely run into this Python error:

Could not fetch URL https://pypi.org/simple/pip/:
There was a problem confirming the SSL certificate:
[SSL: CERTIFICATE_VERIFY_FAILED]

This happens because these security tools intercept encrypted HTTPS traffic, decrypt it for inspection, then re-sign it using the company’s internal root certificate. Python’s pip does not automatically trust this rewritten certificate, so SSL verification fails.

This guide walks through a reliable fix on macOS using ~/.pip/pip.conf, and explains the security implications of using trusted-host when certificates can’t be validated.

Why pip Fails Behind Zscaler and Similar Tools

Corporate SSL-inspection solutions insert themselves into the HTTPS chain:

  1. You make a secure request (pip → pypi.org).
  2. Zscaler intercepts the request, decrypts it, inspects it.
  3. Zscaler re-signs the response with a corporate root CA.
  4. Python doesn’t recognize this CA, so it refuses the connection.

Browsers trust the corporate root certificate automatically. Python doesn’t — which is why pip breaks.

Step 1: Export Your Corporate Root Certificate

You need the root certificate that Zscaler (or your organization) uses to re-sign SSL traffic.

macOS steps:

  1. Open Keychain Access
  2. Select System Roots
  3. Search for something like:
    • Zscaler Root CA
    • Forward_Trust_Cert
    • Your company’s custom root certificate
  4. Right-click → Export
  5. Save as a .pem file, e.g.:
~/certs/corp-root-ca.pem

This file becomes the certificate bundle pip will trust.

Step 2: Create or Edit ~/.pip/pip.conf

Pip supports user-level configuration:

~/.pip/pip.conf

Create the directory if needed:

mkdir -p ~/.pip

Open the file:

nano ~/.pip/pip.conf

Add the following:

[global]
cert = /Users/<your-username>/certs/corp-root-ca.pem
trusted-host = pypi.org
               files.pythonhosted.org
               pypi.python.org

What this does

  • cert tells pip which root CA to use when verifying SSL.
  • trusted-host tells pip to skip strict certificate verification for these domains.

This combination solves the vast majority of certificate-related issues behind Zscaler and similar systems.

Step 3: Test the Fix

Try updating pip and installing a package:

python3 -m pip install --upgrade pip
python3 -m pip install requests

If your certificate is valid, pip should work without errors.

Step 4: Verify pip Is Using Your Settings

Run:

python3 -m pip config list

You should see:

global.cert='~/certs/corp-root-ca.pem'
global.trusted-host=['pypi.org', 'files.pythonhosted.org', 'pypi.python.org']

This confirms pip is reading your configuration.

Optional: Export Environment Variables for Other Tools

Some Python libraries (e.g., requestsurllib3) also need access to your corporate certificate.

Add this to your ~/.zshrc:

export REQUESTS_CA_BUNDLE=~/certs/corp-root-ca.pem
export SSL_CERT_FILE=$REQUESTS_CA_BUNDLE

Reload:

source ~/.zshrc

Security Considerations: Read This Before You Trust Everything

While this method works, it carries real security implications:

1. Adding trusted-host disables certificate verification

This makes pip trust any certificate for those hosts — even a spoofed one.

2. MITM risk increases if you’re not on the corporate network

Because pip skips validation for trusted hosts, a network attacker could impersonate PyPI more easily.

3. The safest configuration uses only the corporate cert entry

If the certificate is valid, you should remove the trusted-host entries.

4. Only take this approach on managed devices

Using trusted-host on personal devices or untrusted networks is dangerous.

Conclusion on risk

This fix is appropriate when you’re behind a secure corporate SSL-inspection proxy, and when IT controls the network perimeter. It is not intended for general use.

Final Summary

When pip fails with CERTIFICATE_VERIFY_FAILED on macOS behind Zscaler, Blue Coat, or other SSL-inspection firewalls, it’s because Python doesn’t trust the rewritten certificates. The fix is:

  1. Export your company’s root CA
  2. Configure pip via ~/.pip/pip.conf
  3. Add cert and (if required) trusted-host
  4. Understand the security implications

This restores pip functionality while ensuring compatibility with corporate security