Added SSL info, cleaned up some pages

Arrowbox · Aug 13, 2019 · b309378 · b309378
1 parent 5ea3e1d
commit b309378
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 8 deletions.
diff --git a/docs/source/user-guide/concepts/channels.rst b/docs/source/user-guide/concepts/channels.rst
@@ -23,7 +23,7 @@ For details, see how to :ref:`modify your channel lists <config-channels>`.
 
 We use conda-forge as an example channel.
 `Conda-forge <https://conda-forge.org/>`_ is a community channel
-made up of thousands of contributors. Conda-forge itself is 
+made up of thousands of contributors. Conda-forge itself is
 analogous to PyPI but with a unified,
 automated build infrastructure and more peer review of
 recipes.
@@ -53,7 +53,7 @@ Priority decreases from left to right - the first argument is higher priority th
 
   $ conda search scipy --channel file:/<path to>/local-channel --override-channels
 
-* In .condarc, use the key `channels` to see a list of channels for conda to search for packages.
+* In .condarc, use the key ``channels`` to see a list of channels for conda to search for packages.
 
 Learn more about :doc:`managing channels <../tasks/manage-channels>`.
 
@@ -67,7 +67,7 @@ that have been cloned by the channel clone and are
 now available behind the CDN (content delivery network).
 The RSS feed shows what has happened on a rolling,
 two-week time frame and is useful for seeing where
-packages are or if a sync has been run. 
+packages are or if a sync has been run.
 
 Let's look at the `conda-forge channel RSS feed <https://conda-static.anaconda.org/conda-forge/rss.xml>`_
 as an example.

diff --git a/docs/source/user-guide/concepts/environments.rst b/docs/source/user-guide/concepts/environments.rst
@@ -59,10 +59,10 @@ Virtual environments
 
 A virtual environment is a tool that helps to
 keep dependencies required by different projects
-separate by creating isolated spaces for them that contain per-project dependencies.
-for them.
+separate by creating isolated spaces for them that
+contain per-project dependencies for them.
 
-Users can create virtual environments 
+Users can create virtual environments
 using one of several tools such as
 Pipenv or Poetry, or a conda virtual
 environment. Pipenv and Poetry are based around Python's

diff --git a/docs/source/user-guide/configuration/disable-ssl-verification.rst b/docs/source/user-guide/configuration/disable-ssl-verification.rst
@@ -22,9 +22,9 @@ traffic to continue.
 from a PyPI server over HTTPS.
 
 .. warning::
-   This opion causes your computer to download and execute arbitrary
+   This option causes your computer to download and execute arbitrary
    code over a connection that it cannot verify as secure. This option is not
-   recommended. Use this option only if necessary. Use this option at your own
+   recommended and should only be used if necessary. Use this option at your own
    risk.
 
 To disable SSL verification when using ``conda skeleton pypi``, set the

diff --git a/docs/source/user-guide/configuration/index.rst b/docs/source/user-guide/configuration/index.rst
@@ -13,3 +13,4 @@ Configuration
    pip-interoperability
    use-winxp-with-proxy
    disable-ssl-verification
+   non-standard-certs
diff --git a/docs/source/user-guide/configuration/non-standard-certs.rst b/docs/source/user-guide/configuration/non-standard-certs.rst
@@ -0,0 +1,29 @@
+===============================
+Using non-standard certificates
+===============================
+
+Using conda behind a firewall may require using a non-standard
+set of certificates, which requires custom settings.
+
+If you are using a non-standard set of certificates, then the
+requests package requires the setting of ``REQUESTS_CA_BUNDLE``.
+If you receive an error with self-signed certifications, you may
+consider unsetting ``REQUESTS_CA_BUNDLE`` and `disabling SSL verification <https://conda.io/projects/conda/en/latest/user-guide/configuration/disable-ssl-verification.html>`_
+to create a conda environment over HTTP.
+
+You may need to set the conda environment to use the root certificate
+provided by your company rather than conda’s generic ones.
+
+One workflow to resolve this on MacOS is:
+
+* Open Chrome, got to any website, click on the lock icon on the left
+  of the URL. Click on «Certificate» on the dropdown. In the next window
+  you see a stack of certificates. The uppermost (aka top line in window)
+  is the root certificate (e.g. Zscaler Root CA).
+* Open MacOS keychain, click on «Certificates» and choose among the
+  many certificates the root certificate that you just identified.
+  Export this to any folder of your choosing.
+* Convert this certificate with OpenSSL: ``openssl x509 -inform der -in /path/to/your/certificate.cer -out /path/to/converted/certificate.pem``
+* For a quick check set your shell to acknowledge the certificate: ``export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem``
+* To set this permanently, open your shell profile (.bshrs or e.g. .zshrc) and add this line: ``export REQUESTS_CA_BUNDLE=/path/to/converted/certificate.pem.``
+  Now exit your terminal/shell and reopen. Check again.