Zscaler is not allowing PIP to download and install packages

Unable to download PIP packages from Anaconda or Python, Zscaler is blocking pip in downloading any packages.
I tried enabling SSL verfiy to False still not able to bypass it from Zscaler ssl inspection. Kindly assist me on this.


There could be three reasons why PIP is failing to download packages

  1. URL Category/Host is blocked by Zscaler
  2. SSL Certificate returned by Host is invalid
  3. SSL Inspection certificate isn’t trusted by PIP/Python

You could bypass SSL inspection entirely for the Host you are downloading from, and set policy to allow. That would solve all 3. However, you would bypass security inspection of the content.
I’d recommend that the host’s you’re downloading from should be on an “allow” list from URL filtering (which resolves #1).
If the website SSL certificate is invalid, then you’d likely want to block it - but you could also make a policy decision to trust the certificate.
SSL Inspection will return a certificate signed by either your custom CA, or the Zscaler CA, which needs to be trusted by the system or application - in this case PIP/Python. You should ensure the certificate is trusted. Please review this document Installing TLS / SSL ROOT Certificates to non-standard environments which details how to get the certificates deployed for a number of environmnets.

1 Like

I do not want to bypass SSL the Public domain, since packages are downloading from Public site. Let me try to see if i can validate the certifcate.
Thank you for quick assistance.

1 Like

Lifting this response form our friends at Stack Overflow. I’ve not personally tested/validated.

-----> pip install gensim config --global http.sslVerify false

Just install any package with the “config --global http.sslVerify false” statement

You can ignore SSL errors by setting pypi.org and files.pythonhosted.org as trusted hosts.

$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org <package_name>

Note : Sometime during April 2018, the Python Package Index was migrated from pypi.python.org to pypi.org . This means “trusted-host” commands using the old domain no longer work.

Permanent Fix

Since the release of pip 10.0, you should be able to fix this permanently just by upgrading pip itself:

$ pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org pip setuptools

Or by just reinstalling it to get the latest version:

$ curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py

(… and then running get-pip.py with the relevant Python interpreter).

pip install <otherpackage> should just work after this. If not, then you will need to do more, as explained below.

You may want to add the trusted hosts and proxy to your config file.

pip.ini (Windows) or pip.conf (unix)

trusted-host = pypi.python.org

Alternate Solutions (Less secure)

Most of the answers could pose a security issue.

Two of the workarounds that help in installing most of the python packages with ease would be:

  • Using easy_install : if you are really lazy and don’t want to waste much time, use easy_install <package_name> . Note that some packages won’t be found or will give small errors.
  • Using Wheel : download the Wheel of the python package and use the pip command pip install wheel_package_name.whl to install the package.
1 Like

P.S. Welcome to Zscaler Community!

It Worked Beautifully :slight_smile: Thanks a ton. I have added trusted hosts in pip,ini file and able to install packages.


May I know which works out for you? Experiencing the same issues here.

Adding pip sites as trusted hosts worked but it is not the right approach, I did some more research and found below solution which resolved the issue.

Save Zscaler certificate on you local machine and run below cmd.

pip config set global.cert

Should be like this.
pip config set global.cert “c:/Temp/Zscaler.crt”

1 Like

PIP does certificate pinning I solved that issue
policy -> ssl inspection -> Exempt These Hosts from Inspection & Other Policies