-
-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPAdapter with SSLContext specified does not use SSLContext's ca_certs on Windows #5316
Comments
I agree that this should be much more straightforward than it is. There should be a simple way to tell it to use Windows cert store on Windows, or to hook this behaviour in via an adapter. I spent quite a while figuring out how to do this, and eventually came up with a solution/workaround.
hooked in in the same way as the description above. The problem with your code is that it happily loads all the certs from the cert store, but as long as ca_certs is set to point at the certificate bundle, it will load everything from that afterwards, overwriting them. By making sure it's None you keep the windows cert store ones until they're needed. Hope that helps, anyway. |
pip-system-certs might be of interest for you. |
@fedorbirjukov - Moreover the issue is less with the I think that @gjb1002's answer will solve this problem, although in my case I just gave in and rewrote our http stack using |
Now I see. If using this hack, then you should also clear |
My objective was to get
requests
to use the Windows certificate store rather than thecertifi
bundle. Maybe this just isn't supported.I know there is some complexity and has been some debate about how supplying an
SSLContext
was supposed to work inrequests
(see #2118). But according to that issue, TransportAdapters (i.e.HTTPAdapter
) is the recommended way to provide anSSLContext
.Expected Result
The SSL Context provided would pass its
ca_certs
along to requests and authentication with a remote endpoint would work.Actual Result
It didn't work, instead there is a failure looking up the certificate bundle (which I've neglected to deploy alongside my application, so it's not there).
The callstack ends up here:
Reproduction Steps
Additionally (as a hack to emulate my enviornment), go rename
venv\Lib\site-packages\certifi\cacert.pem
System Information
The text was updated successfully, but these errors were encountered: