0

I have two docker containers (app_1 and app_2) setup so that app_1 makes a rest call to app_2 (using FastAPI). The connection needs to be via TLS. I have created two self-signed certs, one for each app, and signed them both with a self created CA. I start this with docker-compose, and have tried:

 docker-compose --env-file my.env up --build

When the call is made, the error:

File "/usr/local/lib/python3.9/ssl.py", line 1310, in do_handshake app_1 | self._sslobj.do_handshake() app_1 | ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1129)

is presented. My understanding is that I need to tell the requests library where to find the CA bundle, but I just can't figure out how to do that. The code is below.

For the environment file:

REQUESTS_CA_BUNDLE=/app/certs/chain.pem

chain.pem contains the CA.crt and CA.key files, as well as the app_2.crt and app_2.key files.

For app_1:

from fastapi import FastAPI
import requests
import time
import sched 


app = FastAPI()

ca_cert_file = '/app/certs/ca.crt'
ca_key_file = '/app/certs/ca.key'


@app.get('/')
async def read_root():
    return {"message": "Hello from app_1"}

    
def make_request():
    url = "https://app_2"

    response = requests.get(url, timeout=10, cert=('/app/certs/ca.crt', '/app/certs/ca.key'))

    if response.status_code == 200:
       print(response.json())
    else:
        print(f"Request failed status code: {response.status_code}") 


scheduler = sched.scheduler(time.time, time.sleep)

def make_rest_call_periodically():
    make_request()

    scheduler.enter(10, 10, make_rest_call_periodically)

scheduler.enter(1, 1, make_rest_call_periodically)

scheduler.run() 

if __name__ == "__main__":
    import uvicorn 
    uvicorn.run(app, host="0.0.0.0", port=443, ssl_ca_certs='/app/certs/ca.crt', ssl_keyfile="/app/certs/app_1.key", ssl_certfile="/app/certs/app_1.crt")

And for app_2:

from fastapi import FastAPI
import ssl
import uvicorn 
import requests
import time
import urllib3

app = FastAPI()

@app.get('/')
async def read_root():
    return {"message": "Hello from app_2"}


if __name__ == "__main__":
    import uvicorn 

    uvicorn.run(app, host="0.0.0.0", port=443, ssl_ca_certs='/app/certs/ca.crt', ssl_keyfile="/app/certs/app_2.key", ssl_certfile="/app/certs/app_2.crt")
Jim Archer
  • 1,337
  • 5
  • 30
  • 43

0 Answers0