Using self-signed certificates
written on Thursday, July 28, 2016
This post describes how to install a self-signed certificate both system-wide and locally in a Python virtualenv. This is nothing fancy but I regularly need this and its best to write it down once and for all. As a consequence, I decided to remove all the --no-verify-ssl/--skip-ssl-verification/--insecure options in my tools. Certificate verification is there for a reason, use it.
Get the certificate from the server:
Take a close look at the output from the above command.
For Debian based systems:
See man(8) update-ca-certificates for details.
For Arch Linux:
See man(8) update-ca-trust for details.
For a virtualenv
Most tools and libraries inside a virtualenv will happily ignore the system-wide certificate bundle. Requests for example ships its own cacert.pem file. Fortunately, requests accepts the environment variable REQUESTS_CA_BUNDLE which may point to user-defined CRT file. Simply use the following command as a one-time setup step:
Please do not replace the bundled cacert.pem file with your custom version since it will be overwritten upon updates.
In case the library is using httplib under the hood (such as proteus), one can use the environment variable SSL_CERT_FILE to point to the user defined CRT file: