Skip to content

Remove the certifi "hack" #2298

New issue
New issue
Open
Open
Remove the certifi "hack"#2298
@matthieumarrast

Description

@matthieumarrast
matthieumarrast
opened on Apr 28, 2025

The python certifi package provides Certificate Authorities (CA) certificates (cacert.pm), used by python/requests.

Certifi is regularly updated, especially when root certificates are removed, example with "GLOBALTRUST" root certificates, because of "an investigation which identified 'long-running and unresolved compliance issues.', cf. CVE-2024-39689 (https://nvd.nist.gov/vuln/detail/cve-2024-39689)

In the certifi version provided by mfext there is a "hack" replacing the path of the CA certificates (cacert.pem) provided by certifi, by the ones installed on the server, which can be obsolete. Only for centos/redhat/rocky systems, see https://github.com/metwork-framework/mfext/blob/master/layers/layer1_python3_core/0070_certifi/certifi-system-cert-on-centos-rhel-rocky.patch

The reason is probably that self-signed certificates are added by people or companies in file /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem so it avoids the error "SSL Certificate Problem: Self-Signed Certificate in Certificate Chain” with the python/requests package.
But it annihilates the usage of up-to-date CA certificates provided by certifi.

If developer decides to use a newer version of certifi (not provided by metwork), he can suddenly face the the SSL certificate error, without understanding what is happening given as it is not aware of the "hack".

In my mind MetWork must not update CA cert path in the python/certifi package. Developers should be aware that they are going through a proxy with a self-signed certificate, and they must be able to manage it on their own, for example with one of these solutions:

import requests
# solution 1: pass the path to a CA_BUNDLE file with certificates of trusted CAs
response = requests.get("https://google.com", verify="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
# solution 2: ignore verifying the SSL certificate (to avoid)
response = requests.get("https://google.com", verify=False)

cf. https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification
solution 3: use REQUESTS_CA_BUNDLE environment variable.
solution 4: add your self-signed certificate in cacert.pem provided by certifi (to avoid)
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions