[Pulp-list] Custom list of CA certificates for pulp-cli

Matthias Dellweg mdellweg at redhat.com
Fri Nov 26 18:59:28 UTC 2021 

Can you please verify that this change solves your problem:
https://github.com/pulp/pulp-cli/pull/434

Thank you!

On Fri, Nov 26, 2021 at 6:09 PM Konstantin M. Khankin
<khankin.konstantin at gmail.com> wrote:
>
> Hello!
>
> Today I got unpleasantly surprised about the inability to change the list of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli uses the requests library, so I expected to be able to just specify REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work. So I added some print_tb() here and there and saw this:
>
> ...
>   File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py", line 88, in upload
>     artifact_href = PulpArtifactContext(pulp_ctx).upload(file, chunk_size)
>   File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line 43, in upload
>     result = self.list(limit=1, offset=0, parameters={"sha256": sha256_digest})
>   File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line 436, in list
>     result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID, parameters=payload)
>   File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line 134, in call
>     result = self.api.call(operation_id, *args, **kwargs)
>   File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py", line 263, in call
>     response: requests.Response = self._session.send(request)
>   File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 657, in send
>     r = adapter.send(request, **kwargs)
>   File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 420, in send
>     self.cert_verify(conn, request.url, verify, cert)
> ...
>
> pulpcore/cli/common/openapi.py calls requests.Session.send(). This works, but it means merge_environment_settings is not called, because it is in request() (which later calls send()). This means envvar is not applied.
>
> I tried to abuse Python's dynamic typing and change the value of the verify_ssl flag to what I'd put into the envvar, but click is smart enough to catch this :(
>
> I found the FR to support custom CA certificates. It may be that this FR is as easy as changing send() to request(), allowing users to use an already existing mechanism from the requests library.
>
> Is there something which I missed?
>
> Thanks!
>
> --
> Konstantin Khankin
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/pulp-list

More information about the Pulp-list mailing list