1password-cli and Zscaler

scuoy

I use the 1password CLI to automate workflows that require secrets. My organization uses ZScaler as a VPN, which unfortunately does a MITM attack and breaks TLS by re-issuing certificates using its own root CA.

In August, I noticed my 1password CLI stopped working on VPN:

❯ op item list --debug
12:14PM | DEBUG | Session delegation enabled
12:14PM | DEBUG | NM request: NmRequestAccounts
12:14PM | DEBUG | NM response: Success
12:14PM | DEBUG | NM request: NmRequestAccounts
12:14PM | DEBUG | NM response: Success
[ERROR] 2024/10/11 12:14:58 Get "https://my.1password.com/api/v2/account/keysets?__t=1728674098.518": stream error: stream ID 3; INTERNAL_ERROR; received from peer

But it works fine off VPN. The debug log doesn't offer a lot of information, but the ZScaler logs indicate that connections to my.1password.com were "dropped due to failed SSL handshake". From openssl, we can view the certificate chain that demonstrates how ZScaler is manipulating certificates:

❯ echo | openssl s_client -connect my.1password.com:443
---
Certificate chain
 0 s:CN=*.1password.com, O=Zscaler Inc., OU=Zscaler Inc.
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t) 
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  5 04:19:35 2024 GMT; NotAfter: Oct 19 03:46:33 2024 GMT
 1 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t) 
   i:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net), emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  5 03:46:33 2024 GMT; NotAfter: Oct 19 03:46:33 2024 GMT
 2 s:C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net), emailAddress=support@zscaler.com
   i:C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  5 05:32:29 2020 GMT; NotAfter: Jun 23 05:32:29 2041 GMT
---

My System (not System Roots) keychain contains the ZScaler Root CA:

❯ security find-certificate -p -c "Zscaler Root CA" | openssl x509 -noout -issuer -subject
Warning: Reading certificate from stdin since no -in or -new option is given
issuer=C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com
subject=C=US, ST=California, L=San Jose, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Root CA, emailAddress=support@zscaler.com

So applications which respect this (eg. Chrome) work as expected, but it appears the 1pasword-cli does not respect this. The desktop app works fine.

ZScaler has a help page on adding the ZScaler Root CA for various applications/programming languages (notably, it's missing 1password). Question: Is there a way I can get the CLI to respect the System keychain or import supplementary root CAs?

1password-cli version: 2.30.0

Related discussions:

• https://1password.community/discussion/143720/1password-cli-and-zscaler
• https://1password.community/discussion/126365/zscaler-and-1password-8

---

1Password Version: 8.10.46
Extension Version: 8.10.46.26
OS Version: macOS 14.6.1
Browser: Chrome