bogen85
commented
1 month ago Looking at py/sys/certifi/cacert.pem it seems like I might be able to re-bundle it it with the CA I need to add.
I will investigate this.
Closed bogen85 closed 1 month ago
bogen85
commented
1 month ago Looking at py/sys/certifi/cacert.pem it seems like I might be able to re-bundle it it with the CA I need to add.
I will investigate this.
bogen85
commented
1 month ago So it might be as simple as:
cat new-ca.pem >> cacert.pem
openssl verify -CAfile cacert.pem new-ca.pemAnd then restarting CudaText and trying the plugin downloads again.
I will try this tomorrow at work and will update (and hopefully close) this issue.
bogen85
commented
1 month ago ok, certifi is singular focus, and does not take transparent unencrypting/reencrypting https proxies into account.
I checked on one of my systems, and /etc/ssl/ca-bundle.pem has everything that py/sys/certifi/cacert.pem has plus some additional ones.
so certiffi only checks the one ca bundle brought along with it, and requests references certiffi.
So off hand with out more digging, I'm not sure if there is a simple and straightforward way to use the system wide one in
/etc/ssl/ca-bundle.pem if it exists.
bogen85
commented
1 month ago Making a symlink from py/sys/certifi/cacert.pem to the applicable CA bundle in /etc/ssl works, as does appending the needed CA to the the existing py/sys/certifi/cacert.pem.
I don't know of a clean way of resolving this, unless you can think of one @Alexey-T , apart from writing a custom module to replace certifi (which I might do if you would accept it).
But I'm fine with sym-linking it to the applicable CA bundle in /etc/ssl.
Resolving this issue.
This is related to Related to #4521
Also, this might not be a direct CudaText issue, and be with the HTTPS/SSL toolkit used.
I'm trying to use CudaText in a new environment, which is behind a Corporate transparent https proxy.
Which means they decrypt and reencrypt everything, but with both public certs (https server being connected to and their own) (or something like that).
For Linux in this environment https package downloading from repos was failing, as well as browser access, so I was able to download the corporate certificate authority in windows and add it to the ssl system wide trust in Linux. After that no more cert issues with package management or web browsers.
Whatever library is used in CudaText gives me the same issue as was reported in #4521, both on Windows, and in Linux, so it is not looking at the system wide trust.
So, I'd like to know how to resolve this, as I'd prefer to not disable SSL checks as indicated in #4521 and not be totally reliant on the corporate https proxy filter to catch problems. Yes, I know, if they are doing the check of valid https certs, then they won't likely won't let failing ones through.