core3-marcin-molak commented on issue #55147: URL: https://github.com/apache/airflow/issues/55147#issuecomment-3310995655
> > There remains no way (for our configuration at least) to use SSL with airflow 3 with our corporate signed CAs, outside of overwriting that file, so I believe this issue is not a duplicate and very much relevant. Besides the obvious SSL config items for API server (AIRFLOW__API__SSL_CERT and KEY), airflow should provide an option for a custom CA to validate this certs against and use that option on all `httpx` calls, which would allow for corporate CA signed certificates. > > I believ others solved it by configuring the certificates to be exactly those that webserver uses - support for it was added in this PR and apparently it's been released in 3.0.4 [#53574](https://github.com/apache/airflow/pull/53574) > > But if you feel like you have still problems with it and airflow **should** provide other mechanisms - feel absolutely free. You can roll your sleeves and contribute it - and become one of the ~3500 people who not only used Airflow for absolutely free (without any guarantes if you read the licence) but also contributed back when they saw there is a neeed. AIRFLOW__API__SSL_CERT could contain file with only server certificate without chain. For CA chain we need truststore. In that case SSL_CERT_FILE environment should be enough but in case of Airflow Client class certifi context is created with AIRFLOW__API__SSL_CERT istself (valid for self-signed certs). That is why I think we should add AIRFLOW__API__SSL_TRUSTSTORE environment. For Airflow 2.x we could avoid that due to direct usage of database by worker - only browsers and 3rd party connections using API have to configure it. In Airflow 3.x worker is one of API clients - that is why trustore have to be defined. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
