REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE environment variables get ignored when in a venv

[FriederHannenheim]

Requests supports the REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE environment variables to override the certificate

Expected Result

Here's what's happening outside of the venv

REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt python3
Python 3.11.8 (main, Feb 08 2024, 08:03:16) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'

Actual Result

Inside the venv:

fried@linux:/tmp> python3 -m venv .venv
fried@linux:/tmp> source .venv/bin/activate
(.venv) fried@linux:/tmp> pip install requests
Collecting requests
  Downloading requests-2.31.0-py3-none-any.whl.metadata (4.6 kB)
Collecting charset-normalizer<4,>=2 (from requests)
  Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (33 kB)
Collecting idna<4,>=2.5 (from requests)
  Downloading idna-3.6-py3-none-any.whl.metadata (9.9 kB)
Collecting urllib3<3,>=1.21.1 (from requests)
  Downloading urllib3-2.2.1-py3-none-any.whl.metadata (6.4 kB)
Collecting certifi>=2017.4.17 (from requests)
  Downloading certifi-2024.2.2-py3-none-any.whl.metadata (2.2 kB)
Downloading requests-2.31.0-py3-none-any.whl (62 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 62.6/62.6 kB 3.4 MB/s eta 0:00:00
Downloading certifi-2024.2.2-py3-none-any.whl (163 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 163.8/163.8 kB 5.3 MB/s eta 0:00:00
Downloading charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (140 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 140.3/140.3 kB 10.9 MB/s eta 0:00:00
Downloading idna-3.6-py3-none-any.whl (61 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.6/61.6 kB 5.7 MB/s eta 0:00:00
Downloading urllib3-2.2.1-py3-none-any.whl (121 kB)
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 121.1/121.1 kB 10.1 MB/s eta 0:00:00
Installing collected packages: urllib3, idna, charset-normalizer, certifi, requests
Successfully installed certifi-2024.2.2 charset-normalizer-3.3.2 idna-3.6 requests-2.31.0 urllib3-2.2.1

(.venv) fried@linux:/tmp> REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt python3
Python 3.11.8 (main, Feb 08 2024, 08:03:16) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import certifi
>>> certifi.where()
'/tmp/.venv/lib64/python3.11/site-packages/certifi/cacert.pem'
>>> 

Reproduction Steps

$ python3 -m venv .venv
$ source .venv/bin/activate
$ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt python
>>> import certifi
>>> certifi.where()

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.3.2"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.6"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.8"
  },
  "platform": {
    "release": "6.7.7-1-default",
    "system": "Linux"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.31.0"
  },
  "system_ssl": {
    "version": "30100040"
  },
  "urllib3": {
    "version": "2.2.1"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}

[sigmavirus24]

A few things:

1. Requests isn't in use in your examples; you're using certifi.
2. My guess, is that outside of the venv you have certifi from your package manager, and every Linux distro replaces certifi with something else
3. certifi (a separate project) does not support either environment variable, Requests does.
4. Requests will continue to honor what you set, except in cases like Session.verify=False ignored when REQUESTS_CA_BUNDLE environment variable is set #3829
5. Lastly, I think this is effectively a duplicate of CA-certs bundles and requests.certs.where - Improved documentation #6565

[sigmavirus24]

Duplicate of #6565