Certificate_verify_failed

Hi Tony,

I have updated the odrive client to ver 7182.
And still have the same error.
Diagnostic file attached as requested.
current_odrive_status.txt (52.2 KB)

Hi @adikawidya,
I moved this to a new topic to better focus on it.

The error being hit is “CERTIFICATE_VERIFY_FAILED”.

The SSL: CERTIFICATE_VERIFY_FAILED indicates that odrive is receiving a certificate that it is not able to verify as “trusted”. This has almost always been due to SSL decryption/inspection happening on the network, where a different certificate is being used in lieu of the actual one, in order to decrypt the traffic. odrive uses “certificate pinning” to prevent against man-in-the-middle attacks, so odrive will not function if the certificate chain is compromised in some way.

My best guess is that something on your network is performing SSL decryption/inspection on the traffic, which utilizes MITM certificates, and that is causing the error.

https://help.zscaler.com/zia/certificate-pinning-and-ssl-inspection

Thanks for the explanation and reference to the zScaler article.

I don’t think I can request an exemption to the zScaler policy that my company push to the work laptop.

Is it possible to have an advanced setting on the oDrive client to allow the certificate pinning from a recognised / reputable security provider such as CheckPoint, Palo Alto, Blue Coat/symantec, Cisco, zScaler, etc?

Hi @adikawidya,
I have passed-on the request to the product team, but I don’t think it will make it into the product any time soon.

It may be worth asking your IT team. This has come up before with several large organizations and, so far, it hasn’t been an issue to exempt odrive from SSL inspection.

@Tony, okay I’ll try to request an exemption and see how it goes.

From the main log, it looks like I need to request exemption for Box, Google Drive, and Amazon Cloud drive ?

Hi @adikawidya,
It will depend on which services you have linked, since odrive will connect to those, directly:

odrive:

• https://www.odrive.com
• https://api.odrive.com
• https://proxygen.odrive.com

Box:

• https://api.box.com
• https://upload.box.com

Google Drive:

• https://www.googleapis.com
• https://drive.google.com

Amazon Drive:
Amazon’s endpoints differ, depending on which region you are in. For example, For the North America region it is likely:

• https://content-na.drive.amazonaws.com
• https://cdws.us-east-1.amazonaws.com
  Or, just:
• https://*.amazonaws.com