Using Self-Signed Certificates

CUE Zipline depends on the curated set of certificate authority (CA) certificates from the Mozilla Project. This means that connecting to servers via HTTPS should work out of the box so long as the server certificates have been acquired from a public certificate authority.

Certificate verification will, however, fail if a server or proxy that CUE Zipline needs to connect to uses a self-signed certificate. To prevent this happening, CUE Zipline must be preconfigured with information about your custom CA certificate. To do this, you need to create a certificate bundle, containing all the CA certificates needed by CUE Zipline, both your custom CA certificate and all the public ones. You then need to configure CUE Zipline with the location of the bundle by setting the REQUESTS_CA_BUNDLE environment variable.

You can get the path of the file containing CUE Zipline's default CA certificate bundle by entering the following command:

$ python -m certifi

You must not directly add your custom certificate to this file, because the file is overwritten every time CUE Zipline is upgraded. What you need to do instead is create a new bundle by:

  • Copying the file to a new location.

  • Appending the content of your custom CA certificate (not the server certificate) to the new file.

For example:

$ cat $(python -m certifi) myCA.pem > /path/to/myCABundle.pem

You now have a new certificate bundle containing all the certificates needed by CUE Zipline. Set the REQUESTS_CA_BUNDLE environment variable to point to this file, and start CUE Zipline:

$ export REQUESTS_CA_BUNDLE=/path/to/myCABundle.pem
$ zipline

If REQUESTS_CA_BUNDLE is not set when CUE Zipline starts, then it looks for the environment variable CURL_CA_BUNDLE. If CURL_CA_BUNDLE is also not set, then it uses the Mozilla curated CA certificate set included in the CUE Zipline distribution.