Open DBS-ST-VIT opened 1 week ago
The current version of Px on Windows uses libcurl and comes with its own cert bundle. You could append your internal CA to the crt file (in Lib/site-packages/px/libcurl/curl-ca-bundle.crt
) in the PEM format.
The way to fix this would be to add CURLSSLOPT_NATIVE_CA to the SSL options but it's unclear if it will work - https://github.com/curl/curl/discussions/14869
Oh, and that's a really bad stack trace - it should say that the cert verification failed. That needs to be improved as well.
Better answer in #219. Leveraging a build that uses schannel will solve this issue and is already on the roadmap - switch to pymcurl as the backend.
I do need to make sure I update pymcurl to not set CAINFO on Windows so that it uses the system CA but also have some way to use the bundled CA if preferred for some reason.
Hello, we need to use PX with a PAC file. The PAC file in our company is provided via an internal web server, what is using a TLS cert, that was signed by the internal CA.
Actually, this isn't a problem (normally), as the CA is part of the trust store of our windows 11 machines. But it seems like px isn't using this trust store and fails with a stack trace. If i download the PAC file manually and specify the local path, everything works fine.
Heres the stacktrace i was talking about:
I am wondering, whether px can be "convinced" to use the system trust store or ignore the fact, that it cannot validate the TLS certificate (which is indeed insecure, but we are not using it in a production use case).