Configuring CLI-based Tools and Development Frameworks to work with Netskope SSL Interception
This topic has been closed for replies.
This should really be in the KB. Pretty much every Netskope customer I’ve worked with has issues with CLI/developer tools.
+20Hi
Thank you for sharing your feedback, we will look into the same update you on the next update on your feedback.
Hi Rohit,
Do you have a guideline for docker or how we can bypass the SSL interception please?
Thank you.
For the macOS instructions under "Combined Certificate Bundle", this command is meant to be run as a oneliner. The way it's formatted here as inline code , creates in proper line breaking. It doesn't look like this forum supports fenced code block , but could you please update to use "Forum|wysiwyg.code.btn.title" to format it, so it's more clear and intuitive for readers.
Second, there is an issue because of the line break in "Application Support". Please update it to escape the white space or use quotes around the string:
sudo cp /tmp/nscacert_combined.pem /Library/Application\ Support/Netskope/STAgent/data/oneliner example:
security find-certificate -a -p \
/System/Library/Keychains/SystemRootCertificates.keychain \
/Library/Keychains/System.keychain > /tmp/nscacert_combined.pem \
&& sudo cp /tmp/nscacert_combined.pem \
/Library/Application\ Support/Netskope/STAgent/data/Getting this error when trying to create a CA Bundle in Windows. ‘Protect Client Configuration’ setting is not enabled. Any ideas?
Getting this error when trying to create a CA Bundle in Windows. ‘Protect Client Configuration’ setting is not enabled. Any ideas?
I’m not sure what is causing your error if client file protection is disabled, but you can pretty easily get the CA files from your Netskope console:
<tenant>.goskope.com/ns#/settings?view=certificates&tab=signing or Settings > Manage > Certificates
OR
From your browser, navigate to a site which is being decrypted by Netskope, and view/download the root CA certificate file.
Below is the list of tools/frameworks and instructions on how to make them compatible with Netskope SSL interception:
| Tools/Framework | Instructions |
|---|---|
| Python-based apps and scripts | Python-based tools that uses requests library can leverage CA bundle referenced by the system variable REQUESTS_CA_BUNDLE . Create your CA bundle that includes Netskope root CA for your tenant and set environment variable REQUESTS_CA_BUNDLE to point to that file |
For anyone else who is using Python and Requests through Netskope:
Python 3.13 and above enforces more strict validation of TLS certificates and you may encounter one of the following errors:
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key Identifier (_ssl.c:1020)')))or
requests.exceptions.SSLError: HTTPSConnectionPool(host='google.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)')))due to they way Netskope (improperly) created the root decryption CA/intermediate CA and/or was not including the AKI extension on the spoofed web server certificates.
The easiest workaround I have found is using Python3.12 until Netskope fixes this problem.
This may not affect newer tenants if Netskope has improved the cert generation process in recent years.
+20Added updates in the Article as mentioned below:
MacOS - Certificate Bundle Script Update:
#!/bin/bash
# This script automates the process of creating a bundled certificate to be used for the requests library in Python
# and sets the correct env var to work seamlessly with Netskope.USERNAME=$(dscl . list /Users | grep -v '^_' | grep -v 'nobody' | grep -v 'daemon'| grep -v 'root')
echo "User is: $USERNAME"
# Check if the certificate file is in the right location.
if [ -f "/tmp/nscacert_combined.pem" ]
then
echo "File exists."
else
echo "File does not exist, creating."
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain /Library/Keychains/System.keychain > /tmp/nscacert_combined.pem
fi# Check if zshrc exists.
if [ -f "/Users/$USERNAME/.zshrc" ]
then
echo "Zshrc exists."
RCFILE="/Users/$USERNAME/.zshrc"
# Check if bashrc exists.
elif [ -f "/Users/$USERNAME/.bashrc" ]
then
echo "Bashrc exists."
RCFILE="/Users/$USERNAME/.bashrc"
else
echo "Bashrc nor zshrc does not exist."
fi
echo "RC file is: $RCFILE"# Check if var is set in RC file.
if grep -q "export REQUESTS_CA_BUNDLE='/tmp/nscacert_combined.pem'" $RCFILE
then
echo "Environment Variable is set."
else
echo "Environment Variable not set, setting."
echo "export REQUESTS_CA_BUNDLE='/tmp/nscacert_combined.pem'"
>> $RCFILE
fi
Quick note: Instead of placing the file in the /Library/Application Support/Netskope/STAgent/data folder, store it in a persistent location such as /tmp, or any other stable directory. Then, export the REQUESTS_CA_BUNDLE environment variable to point to the new location of the .pem file. This approach avoids deletion and ensures proper functionality.
We are having issues with Visual Studio which is not working trhough NS
How can we make VS work through netskope with SSL and try to insert SSL certificate
Sign up
Already have an account? Login
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Login to the community
Sign in or register securely using Single Sign-On (SSO)
Employee Continue as Customer / Partner (Login or Create Account)Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.