Installing conda packages when not being logged in to my organizational network fails when using corporate's ssl-certificate

Question

In order to be able to install conda and pip packages from within my organizational network I configured conda to use my corporate's .pem file using:

conda config --set ssl_verify <pathToMyFile>.pem

Everything works fine with downloading and installing packages but as soon as I am not logged in to the network (e.g. because I am working from home) I can't install any packages anymore. It seems that I have to be logged in to my corporate's network when using the respective .pem file.

Specifically I am getting the following error:

Collecting package metadata (repodata.json): failed

CondaHTTPError: HTTP 000 CONNECTION FAILED for url <https://conda.anaconda.org/conda-forge/linux-64/repodata.json>

This problem has already been discussed here where user @payala summed up the problem in the comment section:

Yes, but then this will only work while you are within your organization's network. If you are using a notebook and you exit the network, it will not work. What can be done that supports adding this certificate in addition to the ones already used by conda? – payala

One solution would be to follow the suggestion from user @user6020015 who says:

if you leave your organization's network, you can just comment out that line in .condarc with a # and uncomment when you return.

However, this seems very tedious to me, because I would have to comment and uncomment this line of code several times per week. Is there a solution to solve this?

score 2 · Answer 1 · answered Aug 26 '22 at 13:53

2

I'd probably add some shorthand commands to the shell (e.g., ~/.bashrc), like...

function conda_work() { 
  conda config --set ssl_verify <pathToMyFile>.pem
}

function conda_play() {
  conda config --remove-key ssl_verify
}

to quickly toggle the setting.

answered Aug 26 '22 at 13:53

merv

67,214
13
180
245

Nice workaround, still I wonder if this behavior is intended by the conda developers? In other words: Why is conda doing this? Intuitively, when adding a `.pem` file, I would not expect conda to fail on installations as soon as I am not connected to my corporate network. But maybe this is nothing that can be changed? Also, do you know the equivalent of `conda config --remove-key ssl_verify` for `pip`? Because I get the same behavior with pip and I would love to also toggle pip's SSL-verification on or off using the functions that you have provided – Johannes Wiesner Sep 06 '22 at 08:20
I don't know for Pip. The documentation (`conda config --describe ssl_verify`) says you can alternatively point to a folder that has all the trusted certificates. Consider discussing options with your network/system admins. – merv Sep 06 '22 at 18:54
I discovered how to do that with `pip`. Setting the certificate works with `pip config set global.cert /path/to/cert`, disabling it again can be achieved with `pip config unset global.cert`. Could you update your solution and provide this as well? Conda and pip seem to behave similar in this regard, so I guess most users that need the solution for conda, also need this for pip – Johannes Wiesner Oct 05 '22 at 13:35

Installing conda packages when not being logged in to my organizational network fails when using corporate's ssl-certificate

1 Answers1