Certificate verify failed

NBouwman · 22 April 2025 07:51

I get a malformed connection error
We have narrowed it down to being a ZScaler issue when sitting on a home network.
Here is the full error:

2025-04-22 09:24:46.555 ERROR   : Could not connect to the VIKTOR platform: Malformed connection (code:002, reason:[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1018))

As said above, we believe this is a ZScaler issue thus I don’t expect a solution from the community, more wanted to give others a heads up if they get the same error.

NBouwman · 25 April 2025 09:30

We had originally assumed this was something related to ZScaler and working from home, but I now have the same issue working from a different company office.

Viktor can you shed some light on where this problem comes from? What the cli is wanting so that we can get some idea on how to fix it?

pieter.bieghs · 25 April 2025 10:58

I have sometimes the same issue, trying to connect several times usually gets me connected correctly, but this is a big inconvenience. Already reported this to Viktor directly, no real solution found.

rdejonge · 25 April 2025 11:45

@NBouwman,

The certificates that are present in your Windows certificate store are used by the SDK to establish a connection. The reason we do this is that you would otherwise receive a self-signed certificate error when developing behind a proxy such as Zscaler.

The error you share comes from the way Python 3.13 creates its default SSLContext. From 3.12 to 3.13 it started using stricter verfication. See the documentation:

I assume you are using Python 3.13, downgrading to Python 3.12 would prevent the error from happening.

To come back to the origin of the error message; as can be read in the note it may now reject pre-RFC 5820 certificates. I went a bit further into the rabbit hole to see what that might mean with respect to basic constraints.

According to RFC 5280 4.2.1.9:

The cA boolean indicates whether the certified public key may be used to verify certificate signatures. If the cA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted. If the basic constraints extension is not present in a version 3 certificate, or the extension is present but the cA boolean is not asserted, then the certified public key MUST NOT be used to verify certificate signatures.

And w.r.t. appearing critical:

Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates. This extension MAY appear as a critical or non-critical extension in CA certificates that contain public keys used exclusively for purposes other than validating digital signatures on certificates. Such CA certificates include ones that contain public keys used exclusively for validating digital signatures on CRLs and ones that contain key management public keys used with certificate enrollment protocols. This extension MAY appear as a critical or non-critical extension in end entity certificates.

Could you check the Zscaler certificate? I expect to see a discrepancy w.r.t. this RFC. For example if it contains ‘Digital Signature’ as value for the field ‘Key Usage’ it should mark the ‘Basic Constraints’ field as critical to conform to the RFC. Is that the case?

rdejonge · 25 April 2025 11:47

@pieter.bieghs do you experience the same error? Or do you see a different error message? Could you share the error stack trace?

NBouwman · 25 April 2025 12:00

I have downgraded for now to be able to get things working quickly. This does solve the problem for now.
I will have to look with ICT into the certificates more deeply and see what is possible.
Thanks @rdejonge