Using self-signed certificates

This post describes how to install a self-signed certificate both system-wide and locally in a Python virtualenv. This is nothing fancy but I regularly need this and its best to write it down once and for all. As a consequence, I decided to remove all the --no-verify-ssl/--skip-ssl-verification/--insecure options in my tools. Certificate verification is there for a reason, use it.

Get the certificate from the server:

$ echo | openssl s_client -connect HOST:PORT 2>/dev/null | openssl x509 -out HOST.crt -text

Take a close look at the output from the above command.

System-wide installation

For Debian based systems:

$ sudo mv HOST.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates

See man(8) update-ca-certificates for details.

For Arch Linux:

$ sudo mv HOST.crt /etc/ca-certificates/trust-source/anchors/
$ sudo update-ca-trust extract

See man(8) update-ca-trust for details.

For a virtualenv

Most tools and libraries inside a virtualenv will happily ignore the system-wide certificate bundle. Requests for example ships its own cacert.pem file. Fortunately, requests accepts the environment variable REQUESTS_CA_BUNDLE which may point to user-defined CRT file. Simply use the following command as a one-time setup step:

$ export REQUESTS_CA_BUNDLE=/path/to/HOST.crt

Please do not replace the bundled cacert.pem file with your custom version since it will be overwritten upon updates.

In case the library is using httplib under the hood (such as proteus), one can use the environment variable SSL_CERT_FILE to point to the user defined CRT file:

$ export SSL_CERT_FILE=/path/to/HOST.crt