Ask users not to raise issues to add random/system certs #72
Comments
|
Agreed, I’d happily merge an issue template that did that. |
|
Or maybe, this module is philosophically misguided? Isn't it reasonable and expected that there are organizational CAs that are not part of the biased Certifi concept of trust? Shouldn't python code be expected to honor a system level CA trust repo? Why is it logical that if I update the system trust, that most mainstream thing (gee, like pip) would respect that? Firefox honors my system CA trust. I can see Certifi as a great fallback if the system doesn't have a CA trust repo already, or perhaps when running in a "paranoid" mode (i.e. the user does not trust the host administrator). For others who might come across this, here is some help (on RHEL/CentOS) to make pip and Requests honor the system root CA trust, including any locally administered organizational CA certs: export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt |
This module is a single file containing the Mozilla cert database. It’s not philosophically anything.
Leaving aside the weasel word biased, yes of course it’s reasonable that there are organisational CAs.
Yes. James, you’ve made comments on two issues on two repos and sent a personal email to me in the space of about an hour. This is clearly bothering you, and something seems to be making you think it’s my fault. So let’s be clear. I don’t think this repo should exist! I don’t think Requests should have to use it. I agree with you. But it turns out that merely wanting something to be true doesn’t make it so. If you want Requests to trust the system trust store, you can simply open a PR to make it do so. But if you try to actually do that you’ll encounter the issues I mentioned in psf/requests#2966, namely that the APIs you need are not currently exposed into Python, so you have to bind them yourself. This brings you into the realm of C extensions and CFFI, which make installing pip borderline impossible. This is not an unsolveable problem. The way to solve it is to bring this interface into Python! No-one has done this yet because the last person who attempted was me (PEP 543), I bit off way more than I could chew, and then moved on out of the Python ecosystem for work reasons. But there is nothing preventing a motivated person, such as yourself, from proposing a PEP that adds the interface we need and then writing the code to do it. It just has to get done! |
Sorry about using "biased". I am not suggesting negative bias, just bias in that it has it's list and no way to alter. And it's actually not immediately clear that this is just a repackaging of the Mozilla database.
No, I do not think it is your fault (or anyone's).
I think there are some legitimate uses of Certifi, just not as the primary! :-)
Ah! Thank you for that. The complication of using a C api when bootstrapping PIP install does make sense! That is because it would make the pip install have architecture/platform dependent code versus pure python, right? So this is another great fallback case for Certifi to fill.
I see, PEP 543 is rather large. I don't think I'll be able to tackle that directly. I'll propose some README/doc updates to Certifi to help people stumbling into this to get a bit more context. |
|
After spending almost a day fixing an SSL problem, I think we should distinguish two cases here:
Understandably, no. 1 is not recommended in the general case. Python's SSL support does not support AIA Fetching and hence depends on a complete chain of certificates from the server; otherwise it throws an exception, like so SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1124)'))) There is a discussion about whether AIA Fetching should be added to Python, e.g. in this thread: https://bugs.python.org/issue18617#msg293894. My impression is that this will remain an open issue for the foreseeable future. Now, whenever a Python user runs into an SSLCertVerificationError, he or she may benefit from guidance on how this can be solved. Is the certifi bundle outdated? How can the missing intermediate certificate be added? Ideally, This is why I took the time and documented my experiences for fixing this: https://stackoverflow.com/a/66111417/516699 |
You're asking certifi to do more than provide a Further, telling people to overwrite a file on their system has so many potential problems, not the least of which someone writing a script that downloads a malicious bundle or what happens if they don't have long-lived architecture (or even control over where certifi is installed and thus can't replace the file). |
|
I am just asking that people who run into an SSL problem caused by server configuration errors that are (1) frequent (I read of 10-30 % of sites), and (2) for which browsers have a work-around in the form of AIA fetching, will at least be directed to the root cause of such problems with missing intermediate certificates. My workaround is likely not the most elegant approach to the problem. Please consider telling people prominently that:
I spent hours trying to understand this, and the first stop most people take is either the requests documentation or the certifi documentation, because the former states that it uses the certificates from certifi. So maybe just add a paragraph to the README.md? People will love you, promised ;-) |
It seems every second issue raise here is "please add some random or system certificate store to the package".
It might be useful to add a basic issue template to the github project asking users not to post requests like this with a couple of links and/or standard responses.
https://help.github.com/articles/creating-an-issue-template-for-your-repository/
The text was updated successfully, but these errors were encountered: