0

I am running a docker container with Ubuntu as the base and am trying to add a new Certificate Authority to the project.

I'm not entirely sure what's failing, but I cannot seem to make it work. I followed the directions on this page: http://manpages.ubuntu.com/manpages/zesty/man8/update-ca-certificates.8.html by adding the CA file to a directory in /usr/share/ca-certificates, specifying the CA files in /etc/ca-certificates.conf, and then running update-ca-certificates, which completes with a message saying that it added 3 new certificates.

However, aiohttp is still printing the error

aiohttp.errors.ClientOSError: [Errno 1] Cannot connect to host www.myserver.com:443 ssl:True [Can not connect to www.myserver.com:443 [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)]]

I was informed that aiohttp doesn't access a certificate store itself, but rather relies on asyncio which I think was absorbed into python itself recently. So I don't know if somewhere along the chain something is using a different certificate store, but I would just like to know where I can add my CA files so that they will work with aiohttp.

ison
  • 60
  • 8
  • 1
    Hae you tried what the docs suggest: http://aiohttp.readthedocs.io/en/stable/client.html#ssl-control-for-tcp-sockets ? – freakish Oct 23 '17 at 18:01
  • The project in question uses aiohttp.request calls rather than the session.get calls shown in that documentation. But the project I'm working with is fairly complex so it might be difficult to go through everything and manage these changes. It would be really preferable if I could just dump my certs somewhere and have them be trusted by the library – ison Oct 23 '17 at 22:59
  • aiohttp does not support that AFAIK. Also you should probably stick to sessions. SSL/TLS handshakes are expensive. – freakish Oct 24 '17 at 11:09
  • Right, I'm sure it doesn't support it, and it shouldn't, because that should really be left up to the OS itself. On GNU/Linux systems there is typically a system-wide CA store and methods for users to customize them. Are aiohttp/asyncio not using those? Do they have their own private CA stores? What's stopping me from modifying the CA store that they do use? They have to get their list of trusted CA's _somewhere_. – ison Oct 24 '17 at 15:29
  • Actually I think I just found the answer here: https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu – ison Oct 24 '17 at 15:55

0 Answers0