Using self-signed certificates
written on Thursday, July 28, 2016
This post describes how to install a self-signed certificate both system-wide and locally in a Python virtualenv. This is nothing fancy but I regularly need this and its best to write it down once and for all. As a consequence, I decided to remove all the --no-verify-ssl/--skip-ssl-verification/--insecure options in my tools. Certificate verification is there for a reason, use it.
Get the certificate from the server:
$ echo | openssl s_client -connect HOST:PORT 2>/dev/null | openssl x509 -out HOST.crt -text
Take a close look at the output from the above command.
System-wide installation
For Debian based systems:
$ sudo mv HOST.crt /usr/local/share/ca-certificates $ sudo update-ca-certificates
See man(8) update-ca-certificates for details.
For Arch Linux:
$ sudo mv HOST.crt /etc/ca-certificates/trust-source/anchors/ $ sudo update-ca-trust extract
See man(8) update-ca-trust for details.
For a virtualenv
Most tools and libraries inside a virtualenv will happily ignore the system-wide certificate bundle. Requests for example ships its own cacert.pem file. Fortunately, requests accepts the environment variable REQUESTS_CA_BUNDLE which may point to user-defined CRT file. Simply use the following command as a one-time setup step:
$ export REQUESTS_CA_BUNDLE=/path/to/HOST.crt
Please do not replace the bundled cacert.pem file with your custom version since it will be overwritten upon updates.
In case the library is using httplib under the hood (such as proteus), one can use the environment variable SSL_CERT_FILE to point to the user defined CRT file:
$ export SSL_CERT_FILE=/path/to/HOST.crt