This repository was archived by the owner on Mar 4, 2020. It is now read-only.
Allow to specify the certificate to be used #56
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This P.R. supersedes #55
Description of the issue/feature this PR addresses
Disclaimer: This is my understanding of the problem and I might be wrong on some points.
On one hand, the Python package
requests, which is the one used bysenaite.syncto perform requests, usescertifi's package CA bundle as the default one when trying to validate the identity of a server.On the other hand, we use self-signed certificates to access over
httpsinstances in a local network that are not accessible through the public Internet. Why? Because CA entities such as Let's Encrypt only sign certificates for hosts with a valid DNS that can be accessed through the public Internet (https://community.letsencrypt.org/t/certificates-for-hosts-on-private-networks/174/7).Hence, when trying to sync two instances over
httpswith a self signed certificaterequestsfails with the error[SSL: CERTIFICATE_VERIFY_FAILED]because the self-signed certificate being used to access the instance overhttpshasn't been signed by any of the CA entities that the package trusts.The solution is to explicitly tell
requestswhich certificate is to be used for validation.Current behavior before PR
There wasn't an option to specify a custom certificate for
httpsvalidation.Desired behavior after PR is merged
There is an option to specify a custom certificate for
httpsvalidation. If specified, sync will use that certificate when connecting to the source instance. If it is left empty, then the defaultrequestsCA bundle will be used.Screenshot (optional)
--
I confirm I have tested this PR thoroughly and coded it according to PEP8
and Plone's Python styleguide standards.