Dear all,
I’ve a working installation of Jupyterhub 2.X for the last 2 years. I was now trying to update the software stack (Python 3.9 → 3.11 and Jupyterhub from 2.X to 3.X) and I’m facing a weird issue related to CA certificates. My old installation still works but this new one throws an error.

Python 3.11
Jupyterhub 3.1.0
oauthenticator 15.1.0
OpenSSL 1.1.1k

I start the jupyterhub without problem and when I click on “login with AzureID” the logs show the error message:

   [W 2022-12-23 13:38:26.509 JupyterHub iostream:1404] SSL Error on 12 ('', 443): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)
   [E 2022-12-23 13:38:26.510 JupyterHub web:1798] Uncaught exception GET /hub/oauth_callback?code=0.AS
   File "/apps/prod/easybuild/sl7.x86_64.foss-2021a/software/Python/3.11.1-GCCcore-10.3.0-bare/lib/python3.11/ssl.py", line 1346, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)

The IP belongs to microsoft azure service,

My installation is behind a corporate proxy (Zscaler) and I cannot directly talk to the microsoft server:

 # openssl s_client -connect
 no peer certificate available
 No client certificate CA names sent

so openssl needs the proxy parameter to be able to get the certificate:

  # openssl s_client -connect -proxy <private-proxy>:80
  depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
  verify error:num=20:unable to get local issuer certificate

So I have the feeling that jupyterhub is having the same probem, when it connects to the microsfot IP it cannot read the cert and this is why it gives me an error (this is my guess).

So, my question is how I can tell jupyterhub (or the AzureAdOAuthenticator) to either use the proxy or ignore the certificate check.


Found the solution.
Thanks to Configuring web-requests to use a proxy · Issue #217 · jupyterhub/oauthenticator (github.com)

pip uninstall pycurl
pip install pycurl

and in jupyterhub_config.py:

from tornado.httpclient import AsyncHTTPClient