Hi, Panjah, Appreciate your help. I've tried all those options, but none worked. It turned out that the init script in init.d for the server (written by a different party) is using "su -" to start a new login shell clearing all env vars. Whatever that was set in the init script and /etc/default/... were thrown away. I had to export the REQUESTS_CA_BUNDLE in "-c". But now it works. The bottom line is REQUESTS_CA_BUNDLE env var is the way to go if you can't use the "verify" parameter in requests.get() code.
Thanks again. Gang On Wednesday, February 8, 2017 at 10:03:04 PM UTC-5, Pankaj Singh wrote: > Hi, > > You can put export commands in you daemon script. Look at this > stackoverflow answers: > 1. http://stackoverflow.com/a/3865077/353550 > 2. http://stackoverflow.com/a/27718602/353550 > > You can also find different ways to set environment variables for > supervisord, uwsgi, apache mod_wsgi by Google Search > <https://www.google.com/search?q=site:stackoverflow.com%20set%20environment%20variable%20wsgi%20python> > . > > I hope it helps solve your problem. > > On Thu, Feb 9, 2017 at 3:07 AM, Gang Yang <gang...@gmail.com <javascript:> > > wrote: > >> Hi, Pankaj, >> >> Thanks for the reply. The REQUESTS_CA_BUNDLE env var worked as long as I >> start the server manually. But I don't seem to be able to "export" this env >> var into the server daemon process, which is started from /etc/init.d. I'll >> keep digging on the daemon env var. >> >> Gang >> >> On Wednesday, February 8, 2017 at 5:08:44 AM UTC-5, Pankaj Singh wrote: >> >>> Hi, >>> >>> My question is where does SSL client code get the trusted CA >>>> certificates from, from Django, Python or the underlying OS? >>> >>> >>> As per official documentation of requests >>> <http://docs.python-requests.org/en/latest/user/advanced/#ca-certificates> >>> library: >>> >>> By default, Requests bundles a set of root CAs that it trusts, sourced >>>> from the Mozilla trust store. However, these are only updated once for >>>> each >>>> Requests version. This means that if you pin a Requests version your >>>> certificates can become extremely out of date. >>>> >>> >>> >>> From Requests version 2.4.0 onwards, Requests will attempt to use >>>> certificates from certifi if it is present on the system. This allows for >>>> users to update their trusted certificates without having to change the >>>> code that runs on their system. >>>> >>> >>> >>> For the sake of security we recommend upgrading certifi frequently! >>> >>> >>> You can read more about certifi on it's official docs page >>> <https://certifi.io/en/latest/>. >>> >>> What configuration do I need in order for the SSL client to conduct the >>>> SSL handshake successfully? >>> >>> >>> You can set REQUESTS_CA_BUNDLE >>> <http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification> >>> environment >>> variable pointing to .cert file and it will pick it from there. >>> >>> If you have just one `.crt` file which is self signed then you can do >>> following >>> >>> export REQUESTS_CA_BUNDLE='~/Download/bar.example.com.cert' >>> >>> >>> But if you have multiple certificates which are self signed then you can >>> put them in a folder and set the folder path in environment variable. In >>> case of a folder, make sure to run c_rehash >>> <https://www.openssl.org/docs/man1.0.2/apps/c_rehash.html> command for >>> folder. >>> >>> mkdir -p /tmp/custom-certs >>> cp ~/Download/foo.example.com.cert /tmp/custom-certs >>> cp ~/Download/bar.example.com.cert /tmp/custom-certsexport >>> REQUESTS_CA_BUNDLE='/tmp/custom-certs' >>> >>> >>> Relevant source code in requests library: >>> https://github.com/kennethreitz/requests/blob/v2.13.0/requests/sessions.py#L658-L662 >>> >>> >>> On Tue, Feb 7, 2017 at 10:30 PM, Gang Yang <gang...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I'm pretty new to Django and encountered some client side SSL issue. >>>> I'm trying to use django-cas-ng (CAS client) to do CAS authentication and >>>> the CAS server is using a self-signed server certificate. After obtaining >>>> the service ticket (ST), django-cas-ng tried to verify the ST by calling >>>> requests.get(...) and failed with CERTIFICATE_VERIFY_FAILED error. >>>> Following some suggestions on the internet, I've tried to modify >>>> django-cas-ng's code to call requests.get(..) with verify parameter, such >>>> as requests.get(..., verify=False) and requests.get(..., verify="CAS >>>> server >>>> cert"). Both workarounds worked, but I can't change third-party package >>>> code. I also tried to add the CAS server cert to the underlying OS >>>> (Windows >>>> 2008 and CentOS 6.7), but it did not help. >>>> >>>> My question is where does SSL client code get the trusted CA >>>> certificates from, from Django, Python or the underlying OS? What >>>> configuration do I need in order for the SSL client to conduct the SSL >>>> handshake successfully? >>>> >>>> Appreciate any help! >>>> >>>> Gang >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-users...@googlegroups.com. >>>> To post to this group, send email to django...@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/django-users. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/django-users/f07875b8-f3b8-4bcb-b95f-2d936f5ece34%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/django-users/f07875b8-f3b8-4bcb-b95f-2d936f5ece34%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> >>> Regards, >>> Pankaj Kumar Singh >>> >>> Mobile: +91 9618754327 >>> Skype: psjinx >>> Emal: psj...@gmail.com >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-users...@googlegroups.com <javascript:>. >> To post to this group, send email to django...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/c3d34bad-244b-4ab4-a893-47a639919f19%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-users/c3d34bad-244b-4ab4-a893-47a639919f19%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > Regards, > Pankaj Kumar Singh > > Mobile: +91 9618754327 > Skype: psjinx > Emal: psj...@gmail.com <javascript:> > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/57f96daf-14d4-4474-9f9a-c393b8ca320f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
