@<1523701087100473344:profile|SuccessfulKoala55> I managed to make this working by:
concat the existing OS ca bundle and zscaler certificate. And set REQUESTS_CA_BUNDLE
to that bundle file
@<1523701087100473344:profile|SuccessfulKoala55> Actually it failed now: failed to talked to our storage in Azure:
ClearML Task: created new task id=c47dd71dea2f421db05647a21d78ed26
2024-01-25 21:45:23,926 - clearml.storage - ERROR - Failed uploading: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
2024-01-25 21:46:48,877 - clearml.storage - WARNING - Storage helper problem for .clearml.0149daec-7a03-4853-a0cd-a7e2b2958405.test: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)
Traceback (most recent call last):
File "/mnt/c/data/suse-venv/lib64/python3.10/site-packages/clearml/storage/helper.py", line 2741, in check_write_permissions
self.delete(path=dest_path)
File "/mnt/c/data/suse-venv/lib64/python3.10/site-packages/clearml/storage/helper.py", line 2726, in delete
return self._driver.delete_object(self.get_object(path))
File "/mnt/c/data/suse-venv/lib64/python3.10/site-packages/clearml/storage/helper.py", line 1153, in delete_object
container = object.container
AttributeError: 'NoneType' object has no attribute 'container'
Since the storage code does not use the same client/session for connecting to Azure, it will not use the certificate you provided in the env var, I think
Is it because Azure is "whitelisted" in our network ? Thus need a different certificate ?? And how do I provide 2 differents certificate ? Is bundling them simple as a concat of 2 pem file ?
not sure ... providing Zscaler certificate seems to allow clearml to talk to our clearml server, hosted in azure, Task init worked. But then failed to connect to the storage account (Azure too) ...
Hi @<1576381444509405184:profile|ManiacalLizard2> , you can set the REQUESTS_CA_BUNDLE
env var to point to the certificate - this should do it
The question is why do you need a custom certificate for Azure at all?
The storage driver uses azure.storage.blob.BlobServiceClient
- it's possible the package's implementation does not use the same env vars to obtain custom certificates and requires some other configuration
@<1523701087100473344:profile|SuccessfulKoala55> Thanks. Manage to get it working now with
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/zscaler.crt
(Ubuntu system)
Storage certificate are handled deperately