Using Self-Signed Certificates
CUE Zipline depends on the curated set of certificate authority (CA) certificates from the Mozilla Project. This means that connecting to servers via HTTPS should work out of the box so long as the server certificates have been acquired from a public certificate authority.
Certificate verification will, however, fail if a server or proxy that
CUE Zipline needs to
connect to uses a self-signed certificate. To prevent this happening,
CUE Zipline
must be preconfigured with information about your custom CA certificate.
To do this, you need to create a certificate
bundle, containing all the CA certificates needed by
CUE Zipline,
both your custom CA certificate and all the public ones. You then need
to configure
CUE Zipline
with the location of the bundle by setting the
REQUESTS_CA_BUNDLE
environment variable.
You can get the path of the file containing CUE Zipline's default CA certificate bundle by entering the following command:
$
python -m certifi
You must not directly add your custom certificate to this file, because the file is overwritten every time CUE Zipline is upgraded. What you need to do instead is create a new bundle by:
-
Copying the file to a new location.
-
Appending the content of your custom CA certificate (not the server certificate) to the new file.
For example:
$
cat $(python -m certifi) myCA.pem > /path/to/myCABundle.pem
You now have a new certificate bundle containing all the certificates
needed by
CUE Zipline.
Set the REQUESTS_CA_BUNDLE
environment variable to
point to this file, and start
CUE Zipline:
$
export REQUESTS_CA_BUNDLE=/path/to/myCABundle.pem$
zipline
If REQUESTS_CA_BUNDLE
is not set when
CUE Zipline starts,
then it looks for the environment variable
CURL_CA_BUNDLE
. If CURL_CA_BUNDLE
is also not set, then it uses the Mozilla curated CA certificate set
included in the
CUE Zipline
distribution.