Prisma Cloud: Code Security: How to resolve SSL validation error "SSL: CERTIFICATE_VERIFY_FAILED" when using Self signed certificates with Checkov on CICD?

Prisma Cloud: Code Security: How to resolve SSL validation error "SSL: CERTIFICATE_VERIFY_FAILED" when using Self signed certificates with Checkov on CICD?

2975
Created On 03/03/23 22:34 PM - Last Modified 02/10/25 21:04 PM


Question


  • How to resolve SSL validation error "SSL: CERTIFICATE_VERIFY_FAILED" when using Self signed certificates with Checkov in Jenkins? 

Environment


  • Prisma Cloud
    • Code Security
      • Checkov 
      • Jenkins CICD
      • SSL errors
        • Error noticed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

Answer


  • While self-signed certificates are supported, it is mandatory to have a Global Root certificate from a Public CA authority such as Go-daddy, Mozilla etc. One should then bundle the Global Root certificate with the internal Root and intermediate Self-Signed certificates in the cert chain. 

Additional Information


  • This Script from Github creates a bundle of certs from all Major Public CA's and bundles them with Palo Alto's Global Protect Root and intermediate certs as part of Global Protect's SSL interception technique.
    • As the script is Run, it outputs a bundle of Cert's appending three cert's from Palo Alto's domain. These 3 certs are at the bottom of the output file and then can then be replaced with customer's internal Root and intermediate certs and re-bundled.


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb0aCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail