[openstack-dev] [All] Use of self signed certs in endpoints

Xav Paice xavpaice at gmail.com
Wed Nov 18 20:21:30 UTC 2015


Setting an env var seems like a very straightforward way to do this, and
means the deployer can easily control the specifics of what they want
without any code changes - that suits me perfectly.  Adding some
documentation somewhere to that effect might be handy but this is indeed a
bit of an edge case if the distro packages already patch requests to
override the default anyway.  I only tripped over this when I started using
virtual environments and pip, and wasn't expecting the distro package to
alter the behaviour of the library it ships.

Thanks for the feedback and discussion, it's been really helpful.

On 17 November 2015 at 23:30, Cory Benfield <cory at lukasa.co.uk> wrote:

>
> > On 16 Nov 2015, at 11:54, Sean Dague <sean at dague.net> wrote:
> > That sounds pretty reasonable to me. I definitely support the idea that
> > we should be using system CA by default, even if that means overriding
> > requests in our tools.
>
> Setting REQUESTS_CA_BUNDLE is absolutely the way to go about this. In
> requests 2.9.0 we will also support the case that REQUESTS_CA_BUNDLE points
> to a directory of certificates, not a single certificate file, so this
> should cover all Linux distributions methods of distributing
> OpenSSL-compatible certificates.
>
> If OpenStack wants to support using Windows and OS X built-in certificate
> stores, that's harder. This is because both systems do not use PEM-file
> based certificate distribution, which means OpenSSL can’t read them.
>
> Cory
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151119/1ebfd6bc/attachment.html>


More information about the OpenStack-dev mailing list