core3-marcin-molak commented on issue #55147:
URL: https://github.com/apache/airflow/issues/55147#issuecomment-3310995655

   > > There remains no way (for our configuration at least) to use SSL with 
airflow 3 with our corporate signed CAs, outside of overwriting that file, so I 
believe this issue is not a duplicate and very much relevant. Besides the 
obvious SSL config items for API server (AIRFLOW__API__SSL_CERT and KEY), 
airflow should provide an option for a custom CA to validate this certs against 
and use that option on all `httpx` calls, which would allow for corporate CA 
signed certificates.
   > 
   > I believ others solved it by configuring the certificates to be exactly 
those that webserver uses - support for it was added in this PR and apparently 
it's been released in 3.0.4 
[#53574](https://github.com/apache/airflow/pull/53574)
   > 
   > But if you feel like you have still problems with it and airflow 
**should** provide other mechanisms - feel absolutely free. You can roll your 
sleeves and contribute it - and become one of the ~3500 people who not only 
used Airflow for absolutely free (without any guarantes if you read the 
licence) but also contributed back when they saw there is a neeed.
   
   AIRFLOW__API__SSL_CERT could contain file with only server certificate 
without chain. For CA chain we need truststore. In that case SSL_CERT_FILE 
environment should be enough but in case of Airflow Client class certifi 
context is created with AIRFLOW__API__SSL_CERT istself (valid for self-signed 
certs). That is why I think we should add AIRFLOW__API__SSL_TRUSTSTORE 
environment.
   
   For Airflow 2.x we could avoid that due to direct usage of database by 
worker - only browsers and 3rd party connections using API have to configure 
it. In Airflow 3.x worker is one of API clients - that is why trustore have to 
be defined.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to