4

I have a personal Python repository set up with https and I'm able to upload to it using the following command:

twine upload <dist> -r <my_server> --cert <path/to/certfile>

However, I'd like to be able to upload without having to explicitly specify the CA cert location. I believe I've installed the CA cert in the correct location for my system (using How to add Certificate Authority in centos7? as guidance, and verified using wget), but I still have to call out the raw path.

How can I make twine use my alternate CA cert by default?

Billy
  • 5,179
  • 2
  • 27
  • 53
  • 1
    Maybe defining it on an env var? From the help: `--cert path Path to alternate CA bundle (can also be set via TWINE_CERT environment variable).` – progmatico Nov 29 '18 at 21:45

2 Answers2

5

Twine depends on Requests, which in turn relies on Certifi (https://certifi.io/, which in fact is extracted from Requests), and Certifi looks and only looks into its own, "carefully curated collection of Root Certificates", by default:

>>> import certifi

>>> certifi.where()
'/usr/local/lib/python2.7/site-packages/certifi/cacert.pem'

Which ist different from SSL.

You can either set the TWINE_CERT or REQUESTS_CA_BUNDLE environment variable to the path of your CA certs, the former will affect Twine only, the latter will affect anything that relies on Requests.

Metaphox
  • 2,085
  • 2
  • 21
  • 34
1

Run the following to determine where Python is looking for your CA certs:

>>> import ssl
>>> ssl.get_default_verify_paths().capath
/usr/local/etc/openssl/certs

Then put your custom cert in that directory.

Dustin Ingram
  • 20,502
  • 7
  • 59
  • 82