Use multiple CA certs with python requests

Question

I'm in a corporate network and need to use a self-signed certificate for the requests library in a docker image.

I installed it by putting it in /usr/local/shares/ca-certificates and calling update-ca-certificates like this:

COPY EDAG_Bundle.crt /usr/local/share/ca-certificates/my_cert.crt
RUN update-ca-certificates
ENV REQUESTS_CA_BUNDLE /usr/local/share/ca-certificates/my_cert.crt

Now I am able to access files on a Server in our corporate network without running in a certificate error. Unfortunately this change caused pip to stop working. As pip is using requests too, it also now uses the self signed certificate instead of the one from certifi.

The requests documentation states the following:

You can pass verify the path to a CA_BUNDLE file with certificates of trusted CAs:

requests.get('https://github.com', verify='/path/to/certfile') This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.

As I get this, I can define a List of trusted CAs, not just one. How can I configure requests to use both CAs? (my self signed one and the one of certifi located in /site-packages/certifi/cacert.pem). Setting both in the environment variable by seperating the paths with a colon does not work.

Answer 1

Use /etc/ssl/certs/ca-certificates.crt as your REQUESTS_CA_BUNDLE.

requests.get('https://github.com', verify='/etc/ssl/certs/ca-certificates.crt')

When you put a self-issued CA certificate to /usr/local/shares/ca-certificates, then run update-ca-certificates, it will read those in and append to the global "ca trust file" (ca-certificates.crt). This will hold trust for both publicly trusted and your self-installed CA-s.

Note: Debuan/Ubuntu systems, CentOS/Alpine probably have this in a different location (ref).