So you want to make an API call with python you say....
You say the API is secured with https (or an TLS/SSL certificate)....
Should be simple right?
No not so much. The short story to this is that Fedora by default wants to use the system certificates stored in /etc/pki/tls/certs/ca-bundle.crt (you can see how this works, by looking at the /usr/lib/python2.7/site-packages/requests/certs.py file.
However if you have the certifi python package being installed (either with pip, or via rpm).
- (pip) certifi (2018.1.18) - Python package for providing Mozilla's CA Bundle.
- (RPM) python2-certifi.noarch
As you can see from: /usr/lib/python2.7/site-packages/requests/certs.py or:$ python -c "from requests import certs; help(certs)"
We on fedora/rhel/centos default to /etc/pki/tls/certs/ca-bundle.crt for our certificates. This also assumes that using this certificate as a CA works.
You can use the following to test (provided you have a cluster_name):
$ curl https://api.example.com/context --cacert /etc/pki/tls/certs/ca-bundle.crtHowever with the certifi package installed, it no longer does, so if you go looking for a solution on the inter-webs you might get fun solutions like:
- r = requests.get(url, verify=cafile)
- r = requests.get(url, verifiy=False)
- export REQUESTS_CA_BUNDLE=cafile
However as a fedora user, I feel the best options are to remove certifi so that it no longer conflicts with the default OS CA path. (should correct the SSL issues):
sudo pip uninstall certifiOR
sudo [dnf|yum] uninstall python2-certifiSo verify where your request CA is with:
$ python -c "from requests import certs; print certs.where()"And if its not pointing where it should, it might be that OS is allowing the requests package to use an optional add on to set the path for you, based on what that package provides for the CA.
tl;dr don't rely on an optional dependency, use your hosts CA so that you have consistency between your tools.
No comments:
Post a Comment