Custom CA Bundle Setup for Ask RITA¶
Setup guide for corporate networks with custom certificate authorities (like Zscaler) that intercept TLS traffic.
Quick Start¶
# 1. Copy working configuration
cp example-configs/example-zscaler-config.yaml your-config.yaml
# 2. Edit your-config.yaml with your credentials and set ca_bundle_path
# 3. Test setup
python3 -m askrita.cli test --config your-config.yaml
Configuration¶
Set ca_bundle_path in your YAML config to point to your custom CA bundle:
Usage¶
from askrita import SQLAgentWorkflow, ConfigManager
config = ConfigManager("your-config.yaml")
workflow = SQLAgentWorkflow(config)
result = workflow.query("What are the top customer issues?")
print(result.answer)
Creating a CA Bundle¶
Automatic (macOS with Zscaler)¶
# Extract Zscaler root certificate from system keychain
security find-certificate -a -c "Zscaler" -p /Library/Keychains/System.keychain > zscaler-root.pem
# Combine with server certificates
openssl s_client -connect api.openai.com:443 -showcerts 2>/dev/null \
| sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' > server-certs.pem
cat server-certs.pem zscaler-root.pem > credentials/ca-bundle.pem
Manual¶
# Extract certificates from TLS connection
openssl s_client -connect api.openai.com:443 -showcerts > server-certs.txt
# Extract corporate root CA from system keychain (macOS)
security find-certificate -a -c "Zscaler" -p /Library/Keychains/System.keychain > zscaler-root.pem
# Combine into a single bundle
cat server-certs.txt zscaler-root.pem > credentials/manual-ca-bundle.pem
Troubleshooting¶
SSL Certificate Error?
- Verify your CA bundle file exists at the configured path
- Ensure it contains both the corporate root CA and server certificates
- Try regenerating the bundle using the steps above
Configuration Error?