A certifi hack to use system trust store on Linux/FreeBSD
Project description
certifi-system-store, a certifi hack to use system trust store
certifi-system-store is a replacement and hack for consumers of certifi. It replaces certifi with an alternative implementation that uses the system trust store on Linux and some BSD distributions.
Please be advised that this package is brand new and highly experimental. It hasn't been tested in any production environment.
Installation
You absolutely must run python -m certifi
after installing the
package. The command ensures that you have a working system trust store
and patches your current Python environment. It creates or replaces
certifi's dist-info directory with certifi-system-store's dist-info.
I recommend that you install certifi-system-store
and patch first,
then install your packages and requirements.
$ python -m pip install certifi-system-store
$ python -m certifi
$ python -m pip install requests
Verification
The certifi
command of certifi-system-store
has an additional
argument --system-store
. The argument is not available with standard
certifi
package. You can use the property to verify that certifi
package is provided by certifi-system-store
.
$ python -m venv venv
$ venv/bin/pip install certifi
$ venv/bin/python -m certifi --system-store
usage: __main__.py [-h] [-c]
__main__.py: error: unrecognized arguments: --system-store
$ echo $?
2
$ venv/bin/pip install certifi-system-store
$ venv/bin/python -m certifi --system-store
/etc/pki/tls/cert.pem
$ echo $?
0
The command also checks for the presence of a CA cert bundle:
$ venv/bin/python -m certifi
Traceback (most recent call last):
...
FileNotFoundError: /etc/ssl/cert.pem, /etc/pki/tls/cert.pem, /etc/ssl/certs/ca-certificates.crt, /etc/ssl/ca-bundle.pem
$ echo $?
1
To check for certifi-system-store
at runtime:
import certifi
if not getattr(certifi, "__certifi_system_store__", False):
raise ImportError("certifi-system-store is not installed")
To depend on certifi-system-store
:
# setup.py
from setuptools import setup
setup(
...,
install_requires=[
"certifi-system-store ; sys_platform == 'linux' or 'freebsd' in sys_platform",
"certifi > 3000 ; sys_platform == 'linux' or 'freebsd' in sys_platform",
"certifi",
],
)
Platform support
Supported platforms
Most major Linux distributions and FreeBSD are supported.
- Alpine
- Debian-based distributions (Ubuntu, Raspberry Pi OS, Tails, ...)
- NOTE: Some distributions don't have a system trust store in
their minimal package list. You may have to install
ca-certificates
manually, see Debian bug #960869, Ubuntu bug #1879310.
- NOTE: Some distributions don't have a system trust store in
their minimal package list. You may have to install
- Fedora-based distributions (RHEL, CentOS, CentOS Streams)
- FreeBSD
- NOTE: may require manual installation of
ca_root_nss
- NOTE: may require manual installation of
- OpenSUSE
Untested platforms
certifi-system-store
may work, but there is no CI for these platforms.
- ArchLinux
- Gentoo
- OpenWRT
- Slackware
- VoidLinux
- other Linux distributions not based on Debian or Fedora
- OpenBSD
- NetBSD
Unsupported platforms
- Windows
- macOS
- Android (has a cert directory but not a PEM bundle)
- iOS
Supported system trust stores
/etc/ssl/cert.pem
- Alpine
- Arch
- Fedora 34+ (see rhbz#1895619)
- FreeBSD (requires
ca_root_nss
package) - OpenWRT
- RHEL 9
/etc/pki/tls/cert.pem
- CentOS 7, 8
- Fedora 33 and earlier
- RHEL 7, 8
/etc/ssl/certs/ca-certificates.crt
- Debian (requires
ca-certificates
package) - Gentoo
- Ubuntu (requires
ca-certificates
package)
/etc/ssl/ca-bundle.pem
- SUSE
How to install custom CA certificates
Alpine
$ sudo cp my-custom-ca.pem /usr/local/share/ca-certificates/my-custom-ca.crt
$ sudo update-ca-certificates
Arch
$ sudo cp my-custom-ca.pem /etc/ca-certificates/trust-source/anchors/my-custom-ca.crt
$ sudo update-ca-trust
CentOS, Fedora, RHEL
Standard PEM or DER-encoded certificates (BEGIN CERTIFICATE
)
$ sudo cp my-custom-ca.pem /etc/pki/ca-trust/source/anchors/
$ sudo update-ca-trust
Certificates with additional trust information
(BEGIN TRUSTED CERTIFICATE
)
$ sudo cp my-custom-ca.pem /etc/pki/ca-trust/source/
$ sudo update-ca-trust
Debian, Ubuntu
Note: The man page update-ca-certificates(8)
mentions that cert
files must have a .crt
extension.
$ sudo cp my-custom-ca.pem /usr/local/share/ca-certificates/my-custom-ca.crt
$ sudo update-ca-certificates
How does it work?
- empty
certifi/cacert.pem
to override any existing certifi data. - fake
certifi dist-info
with much higher version number than certifi's default dist-info metadata
$ venv/bin/pip install certifi-system-store
$ ls -l .tox/venv/lib/python3.9/site-packages/
certifi
certifi_system_store-3000.1.dist-info
...
$ venv/bin/python -m certifi -v --system-store
certifi-system store 3000.0a1
Patched certifi.dist-info -> certifi_system_store.dist-info
/etc/pki/tls/cert.pem
$ ls -l .tox/venv/lib/python3.9/site-packages/
certifi
certifi-3000.1.dist-info -> certifi_system_store-3000.1.dist-info
certifi_system_store-3000.1.dist-info
...
Special thanks
- Cory Benfield
- Pradyun Gedam
- Wouter Bolsterlee
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for certifi-system-store-3021.3.16.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 603be2b260ae2d5d025f584a219087683ff2ddcd09325ebb56b172cd07877057 |
|
MD5 | aeefb12c77e836f824fd101999c9df4d |
|
BLAKE2b-256 | 964c189f209291795fb76a2a2c14aece74a5f79cc1d228aac4f8c6753397b4dd |
Hashes for certifi_system_store-3021.3.16-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f990bf52b69edf88dd879913aab5dd07e7537c2686435e3f0354e911a8327c6a |
|
MD5 | 1cff171d58b7ea689c1f44b920f024f9 |
|
BLAKE2b-256 | cefa005b38bb74472c34b8abd0a60022f2697faa764b697bbfe661206ef1bddf |