<div dir="ltr"><div dir="ltr"><div dir="ltr">Hello!<div><br></div><div>Today I got unpleasantly surprised about the inability to change the list of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli uses the requests library, so I expected to be able to just specify REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work. So I added some print_tb() here and there and saw this:</div><div><br></div><div>...</div><div>  File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py", line 88, in upload<br>    artifact_href = PulpArtifactContext(pulp_ctx).upload(file, chunk_size)<br>  File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line 43, in upload<br>    result = self.list(limit=1, offset=0, parameters={"sha256": sha256_digest})<br>  File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line 436, in list<br>    result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID, parameters=payload)<br>  File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line 134, in call<br>    result = self.api.call(operation_id, *args, **kwargs)<br>  File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py", line 263, in call<br>    response: requests.Response = self._session.send(request)<br>  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 657, in send<br>    r = adapter.send(request, **kwargs)<br>  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 420, in send<br>    self.cert_verify(conn, request.url, verify, cert)</div><div>...</div><div><br></div><div><a href="https://github.com/pulp/pulp-cli/blob/main/pulpcore/cli/common/openapi.py#L265">pulpcore/cli/common/openapi.py</a> calls requests.Session.<a href="https://github.com/psf/requests/blob/99b3b492418d0751ca960178d274f89805095e4c/requests/sessions.py#L613">send</a>(). This works, but it means <a href="https://github.com/psf/requests/blob/99b3b492418d0751ca960178d274f89805095e4c/requests/sessions.py#L519">merge_environment_settings</a> is not called, because it is in request() (which later calls send()). This means envvar is not applied.</div><div><br></div><div>I tried to abuse Python's dynamic typing and change the value of the verify_ssl flag to what I'd put into the envvar, but click is smart enough to catch this :(</div><div><br></div><div>I found <a href="https://github.com/pulp/pulp-cli/issues/95">the FR</a> to support custom CA certificates. It may be that this FR is as easy as changing send() to request(), allowing users to use an already existing mechanism from the requests library.</div><div><br></div><div>Is there something which I missed?</div><div><br></div><div>Thanks!<br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Konstantin Khankin<br></div></div></div></div></div>