The latest articles on DEV Community by Daniel Emuze (@elphynomenon). https://dev.to/elphynomenon https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3150124%2F41638755-e03c-42b1-b650-31f6162fc7d8.png https://dev.to/elphynomenon en Daniel Emuze Sun, 11 May 2025 13:20:42 +0000 https://dev.to/elphynomenon/resolving-ssl-certificate-issues-with-zscaler-4hba https://dev.to/elphynomenon/resolving-ssl-certificate-issues-with-zscaler-4hba <p>When working in environments where HTTPS traffic is intercepted and proxied by tools like Zscaler , you may encounter SSL certificate validation errors when making HTTPS requests (e.g., curl, wget, or Kubernetes API calls). This article outlines the root cause of the issue, troubleshooting steps, and solutions to resolve it.</p> <h2> Problem Description </h2> <p>When using tools like curl or Kubernetes resources (e.g., ConfigMap, kubectl), you may encounter errors such as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl: (60) SSL certificate problem: self-signed certificate in certificate chain </code></pre> </div> <p>This happens because:</p> <ul> <li>Zscaler intercepts HTTPS traffic and replaces the original server certificate with its own.</li> <li>The system does not trust the Zscaler root certificate, leading to SSL validation failures.</li> </ul> <h2> Root Cause </h2> <p>Corporate proxies like Zscaler acts as a man-in-the-middle (MITM) for HTTPS traffic:</p> <ul> <li>Zscaler decrypts outgoing HTTPS traffic from your machine.</li> <li>It re-encrypts the traffic using its own certificate before forwarding it to the destination server.</li> <li>If the Zscaler root certificate is not trusted by your system, SSL validation fails.</li> </ul> <h2> Solution Approaches </h2> <h3> 1. Add the Zscaler Root Certificate to Your Trusted Store </h3> <p>To resolve the issue, you need to add the Zscaler root certificate to your system's trusted certificate store. Follow these steps:</p> <h4> Step 1: Export the Zscaler Root Certificate </h4> <p>You can export the Zscaler root certificate using one of the following methods:</p> <p><strong>Option A: From Your Browser</strong></p> <ol> <li>Open your browser and navigate to any HTTPS website (e.g., <a href="https://dl.k8s.io" rel="noopener noreferrer">https://dl.k8s.io</a>).</li> <li>Click the lock icon in the address bar to view the site's security information.</li> <li>Select "Certificate" or "Connection is secure" &gt; "Certificate is valid" .</li> <li>In the certificate window, go to the "Certification Path" tab.</li> <li>Select the topmost certificate in the chain (usually the Zscaler root certificate).</li> <li>Click "Export" and save the certificate as a .cer file (DER or PEM format).</li> </ol> <p><strong>Option B: Using OpenSSL</strong></p> <p>Run the following command to inspect the certificate chain and extract the root certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openssl s_client -showcerts -connect dl.k8s.io:443 &lt;/dev/null </code></pre> </div> <p>Look for the root certificate in the output (issued by Zscaler).<br> Copy the base64-encoded block of the root certificate into a file (e.g., zscaler-root-ca.crt).</p> <h4> Step 2: Add the Certificate to Your Trusted Store </h4> <p>Follow these steps based on your operating system:</p> <p><strong>For Linux</strong></p> <ol> <li>Copy the certificate to the trusted certificates directory: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo cp zscaler-root-ca.crt /usr/local/share/ca-certificates/ </code></pre> </div> <ol> <li>Update the CA certificates: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo update-ca-certificates </code></pre> </div> <p><strong>For macOS</strong></p> <ol> <li>Open the Keychain Access application.</li> <li>Import the certificate:</li> <li>Go to File &gt; Import Items and select the .cer file.</li> <li>Trust the certificate:</li> <li>Double-click the imported certificate.</li> <li>Expand the "Trust" section and set "When using this certificate" to "Always Trust" .</li> </ol> <h4> Step 3: Verify the Certificate Installation </h4> <p>Test the connection again to ensure the certificate is trusted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl https://dl.k8s.io/release/stable.txt </code></pre> </div> <p>If successful, you should see the content of the file without SSL errors.</p> <h2> Troubleshooting Tips </h2> <h3> 1. Verify Certificate Chain </h3> <p>Use openssl to inspect the certificate chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openssl s_client -showcerts -connect dl.k8s.io:443 &lt;/dev/null </code></pre> </div> <p>Ensure the chain includes the Zscaler root certificate.</p> <h3> 2. Check Proxy Settings </h3> <p>Verify that no additional proxies are interfering with the connection. For example:</p> <ul> <li>Check environment variables like HTTP_PROXY and HTTPS_PROXY.</li> <li>Ensure your network configuration allows direct access to external domains if needed.</li> </ul> <h3> 3. Test with Different Networks </h3> <p>If possible, test your setup on a network where Zscaler is not active (e.g., personal Wi-Fi). This helps confirm whether the issue is specific to Zscaler.</p> <h2> Conclusion </h2> <p>By adding the Zscaler root certificate to your trusted store, you can resolve SSL certificate validation issues in environments where Zscaler intercepts HTTPS traffic. Use the steps outlined above to ensure secure and uninterrupted communication with external services.</p> <p>If you encounter further issues, consult your IT department for assistance with Zscaler configurations or certificate management.</p> ssl zscaler curl certificate