Allow specifying a custom CA bundle file

In some cases, we may want to keep SSL certificate verification set, but use our own CA bundle file when connecting to an SSL -enabled API server. This commit adds a check for a new environment variable, SSL_CA_BUNDLE. When set, it will instruct the client to use that file to verify SSL certificates, instead of the default one provided by certifi. Change-Id: I7f26798d7e1bd91493a12ca6f7e4c6f6fde57482
softwarefactory-project · Oct 6, 2021 · ad21fe7 · ad21fe7
1 parent 83fe650
commit ad21fe7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/README.rst b/README.rst
@@ -136,6 +136,9 @@ Environment variables
    API.
 -  *SSL_VERIFY*: set to ‘0’ to deactivate SSL verification when talking
    to the DLRN API.
+-  *SSL_CA_BUNDLE*: when set to a value, it will instruct the client to
+   use that file to verify SSL certificates, instead of the default CA
+   bundle provided by `certifi`.
 
 Author
 ------

diff --git a/dlrnapi_client/configuration.py b/dlrnapi_client/configuration.py
@@ -82,7 +82,9 @@ def __init__(self):
         else:
             self.verify_ssl = True
         # Set this to customize the certificate file to verify the peer.
-        self.ssl_ca_cert = None
+        # If SSL_CA_BUNDLE is not set, self.ssl_ca_cert will be None,
+        # so we will use the CA bundle provided by certifi
+        self.ssl_ca_cert = os.environ.get('SSL_CA_BUNDLE')
         # client certificate file
         self.cert_file = None
         # client key file