Skip to content

fix: improve the detection and loading of default certificates #197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 11, 2024
Merged

fix: improve the detection and loading of default certificates #197

merged 2 commits into from
Jul 11, 2024

Conversation

pyrooka
Copy link
Member

@pyrooka pyrooka commented Jul 11, 2024
edited
Loading

Follow up PR of #196. Turned out in some cases - especially in containers - the certificate verification is still failing due to the missing certs. It's because the location of those files really depend on the system and the OpenSSL configuration.
This PR adds a workaround for this problem, by loading the default certs from the location that the certifi package reports. The requests package uses the same logic, so it should cause no issues.

@pyrooka pyrooka marked this pull request as ready for review July 11, 2024 12:12
@pyrooka pyrooka requested review from padamstx and ricellis and removed request for padamstx July 11, 2024 12:15
@pyrooka pyrooka force-pushed the nb/load-certifi-certs branch from 45b8bf0 to 2ff9c70 Compare July 11, 2024 12:15
ricellis
ricellis reviewed Jul 11, 2024
View reviewed changes
Copy link
Member

@ricellis ricellis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My only comment would be whether certifi should be added to the requirements.txt since it is now referenced directly, but is included transitively via requests. I suppose another option might be using requests.certs.where() to avoid the reference to certifi. I suppose another advantage of that might be that anyone using a custom requests package would get their expected behaviour - see e.g. https://github.com/psf/requests/blob/main/src/requests/certs.py

@pyrooka
Copy link
Member Author

pyrooka commented Jul 11, 2024

That's a really good point! About the requirements, I did not add the certifi package on purpose, but now it doesn't matter anymore as we've stopped referencing to that.

@pyrooka pyrooka force-pushed the nb/load-certifi-certs branch from 592065f to d21f2ce Compare July 11, 2024 13:41
padamstx
padamstx approved these changes Jul 11, 2024
View reviewed changes
Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pyrooka pyrooka merged commit 3dc4cc4 into main Jul 11, 2024
3 checks passed
@pyrooka pyrooka deleted the nb/load-certifi-certs branch July 11, 2024 15:16
ibm-devx-sdk pushed a commit that referenced this pull request Jul 11, 2024
@semantic-release-bot
chore(release): 3.20.3 release notes
6751215 
## [3.20.3](v3.20.2...v3.20.3) (2024-07-11)

### Bug Fixes

* improve the detection and loading of default certificates ([#197](#197)) ([3dc4cc4](3dc4cc4))
@ibm-devx-sdk
Copy link

🎉 This PR is included in version 3.20.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ricellis ricellis ricellis approved these changes

@padamstx padamstx padamstx approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pyrooka @ibm-devx-sdk @ricellis @padamstx