Skip to content

Allow REQUESTS_CA_BUNDLE to pass to FILTERED_ENV. #19957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow REQUESTS_CA_BUNDLE to pass to FILTERED_ENV. #19957

wants to merge 1 commit into from
+1 −0

Conversation

nicksay
Copy link

@nicksay nicksay commented May 16, 2025

This allows packages that use Python Requests to access custom root
certificates that are common with corporate networks (e.g. Zscaler).

@nicksay
Allow REQUESTS_CA_BUNDLE to pass to FILTERED_ENV.
8af21d3 
This allows packages that use Python Requests to access custom root
certificates that are common with corporate networks (e.g. Zscaler).
@MikeMcQuaid
Copy link
Member

@nicksay Can you provide an example of why/when you'd need to use this? Thanks!

@nicksay
Copy link
Author

nicksay commented May 18, 2025

Absolutely; it comes up notably with the google-cloud-sdk package. Here's an example log of the install failing, this patch being applied, and the install passing. (Note that I have export REQUESTS_CA_BUNDLE="<path_to_zscaler_root_ca.crt>" in my rc file.)

❯ brew install google-cloud-sdk
==> Installing Cask google-cloud-sdk
==> Running installer script 'google-cloud-sdk/install.sh'
Welcome to the Google Cloud CLI!
Traceback (most recent call last):
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/connectionpool.py", line 466, in _make_request
    self._validate_conn(conn)
    ~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/connectionpool.py", line 1098, in _validate_conn
    conn.connect()
    ~~~~~~~~~~~~^^
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/connection.py", line 657, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
        sock=sock,
    ...<14 lines>...
        assert_fingerprint=self.assert_fingerprint,
    )
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/connection.py", line 810, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
        sock=sock,
    ...<8 lines>...
        tls_in_tls=tls_in_tls,
    )
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/util/ssl_.py", line 470, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
  File "/opt/homebrew/share/google-cloud-sdk/lib/third_party/urllib3/util/ssl_.py", line 514, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/python@3.13/3.13.3/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        sock=sock,
        ^^^^^^^^^^
    ...<5 lines>...
        session=session
        ^^^^^^^^^^^^^^^
    )
    ^
  File "/opt/homebrew/Cellar/python@3.13/3.13.3/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", line 1076, in _create
    self.do_handshake()
    ~~~~~~~~~~~~~~~~~^^
  File "/opt/homebrew/Cellar/python@3.13/3.13.3/Frameworks/Python.framework/Versions/3.13/lib/python3.13/ssl.py", line 1372, in do_handshake
    self._sslobj.do_handshake()
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1028)


❯ cd /opt/homebrew


❯ cat ~/Downloads/brew.git.patch
diff --git a/bin/brew b/bin/brew
index 3ccf7f68a2..dfa2ed166c 100755
--- a/bin/brew
+++ b/bin/brew
@@ -281,6 +281,7 @@ PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 FILTERED_ENV=()
 ENV_VAR_NAMES=(
   HOME SHELL PATH TERM TERMINFO TERMINFO_DIRS COLUMNS DISPLAY LOGNAME USER CI SSH_AUTH_SOCK SUDO_ASKPASS
+  REQUESTS_CA_BUNDLE
   http_proxy https_proxy ftp_proxy no_proxy all_proxy HTTPS_PROXY FTP_PROXY ALL_PROXY
 )
 # Filter all but the specific variables.


❯ patch -p1 < ~/Downloads/brew.git.patch
patching file 'bin/brew'


❯ brew install google-cloud-sdk
==> Installing Cask google-cloud-sdk
==> Running installer script 'google-cloud-sdk/install.sh'
Welcome to the Google Cloud CLI!

...

==> Source [/opt/homebrew/share/google-cloud-sdk/completion.zsh.inc] in your profile to enable shell command completion for gcloud.
==> Source [/opt/homebrew/share/google-cloud-sdk/path.zsh.inc] in your profile to add the Google Cloud SDK command line tools to your $PATH.
==> Linking Binary 'gcloud' to '/opt/homebrew/bin/gcloud'
==> Linking Binary 'git-credential-gcloud.sh' to '/opt/homebrew/bin/git-credential-gcloud'
==> Linking Binary 'gsutil' to '/opt/homebrew/bin/gsutil'
==> Linking Binary 'completion.zsh.inc' to '/opt/homebrew/share/zsh/site-functions/_google_cloud_sdk'
==> Linking Binary 'completion.bash.inc' to '/opt/homebrew/etc/bash_completion.d/google-cloud-sdk'
==> Linking Binary 'bq' to '/opt/homebrew/bin/bq'
==> Linking Binary 'docker-credential-gcloud' to '/opt/homebrew/bin/docker-credential-gcloud'
🍺  google-cloud-sdk was successfully installed!

@MikeMcQuaid
Copy link
Member

@nicksay Is there any other related Homebrew configuration required? It seems a bit non-discoverable to just allow this variable through. Ideally this would share the value with some other Homebrew configuration?

@nicksay
Copy link
Author

nicksay commented May 20, 2025

@MikeMcQuaid There's nothing required with Homebrew itself, just the environment.

This is due to how the Requests library handles custom SSL certs. The initial CA bundle and can be supplemented by either modifying the calling code to specify an extra bundle as an argument:

requests.get('https://github.com', verify='/path/to/certfile')

or by setting the REQUESTS_CA_BUNDLE environment variable:

REQUESTS_CA_BUNDLE=/path/to/certfile
requests.get('https://github.com')

However, the Requests library does fall back to using CURL_CA_BUNDLE. See the above link or https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/sessions.py#L767-L770:

# Look for requests environment configuration
# and be compatible with cURL.
if verify is True or verify is None:
    verify = (
        os.environ.get("REQUESTS_CA_BUNDLE")
        or os.environ.get("CURL_CA_BUNDLE")
        or verify
    )

CURL_CA_BUNDLE is definitely more broadly applicable to Homebrew packages. We could use that instead if you prefer.

@MikeMcQuaid
Copy link
Member

@nicksay Sorry about the delayed response!

Does curl in Homebrew require configuration using CURL_CA_BUNDLE or .curlrc or similar in this configuration?

If you don't mind me sharing: can you I see your brew config configuration?

@nicksay
Copy link
Author

nicksay commented May 27, 2025

@MikeMcQuaid Happy to check for a curl config. Do you have a package you know of that I should try?

I'll post my brew config later today.

@MikeMcQuaid
Copy link
Member

@nicksay Any download in Homebrew will end up using curl so hopefully that helps.

@github-actions GitHub Actions
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale No recent activity label Jun 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
stale No recent activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicksay @MikeMcQuaid