Please respect system (user configured) certs by default #6
Comments
|
There are a few topics to consider here. On the one hand, urllib3 (which is used underneath by dlrnapi_client) recommends certifi as a good cross-platform method to locate the CA cert bundle [1]. We also have the fact that OS-provided python3-certifi packages already patch the library to use the system-level bundle, for example [2] in Fedora. So this is only happening when installing certifi from pip. On a quick test, setting ca_certs to None in [3] seems to do the right thing and use the system-level certificates, but it would be nice to test on more environments. Personally, I'd prefer to keep certifi at least as an option (maybe using another env var?). [1] - https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification |
|
urllib3 was also WORKSFORME me AS IS, only dlrnapi_client had issues. ATM SSL_CA_BUNDLE is defined in multiple CI system to take care of certifi wants to use only the mozilla certs, If urllib3 would have failed me alone, I would have open ticket elsewhere. "setting ca_certs to None" , None probably a better default behavior, [1] https://github.com/openssl/openssl/blob/master/include/internal/common.h#L65 |
The project ATM uses certifi and by default ignores system certs (for example company internal CA can be added there).
Please use the system certs, as all other application like curl or urllib3 does by default.
workaround: figure out were the system certs today and pass SSL_CA_BUNDLE.
The text was updated successfully, but these errors were encountered: