Re: [PR] Add ssl_ca_file config option to specify root CA bundle [airflow]

Tue, 26 May 2026 09:42:10 -0700 


stephen-bracken commented on PR #67214:
URL: https://github.com/apache/airflow/pull/67214#issuecomment-4546333534

   > Thanks for the patch — useful feature.
   > 
   > The fallback in conf.get("api", "ssl_ca_file", fallback=…) doesn't 
actually fire because config.yml declares default: "" — the schema default 
short-circuits the fallback lookup.
   > 
   > Also
   > 
   > ```
   >     ssl_cert:
   >       description: |
   >         Paths to the SSL certificate and key for the api server. When both 
are
   >         provided SSL will be enabled. This does not change the api server 
port.
   >         The same SSL certificate will also be loaded into the worker to 
enable
   >         it to be trusted when a self-signed certificate is used.
   > ```
   > 
   > I believe that makes it 'work' for the worker. (ca_cert should be inside 
the file referenced by `ssl_cert` on the woker side.
   > 
   > For the api-server-side, that can probably be useful.
   
   Hi Pierre, thanks for the review. The purpose of the `ssl_ca_file` is to 
load a root certificate which is not included in the certificate chain for the 
mTLS certificates, e.g. using a Certificate issued by cert-manager via the 
vault issuer creates a chain like this:
   ```
   airflow.example.com (untrusted)
   < vault PKI cert>
   < Root cert>
   ```
   If you try to use the `airflow.example.com` public and private key without 
the root certificate, you will get 
   `httpx.ConnectError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify 
failed: unable to get issuer certificate (_ssl.c:1016)` 
   
   on worker calls because the httpx client is loading an explicit 
`ssl.SSLContext` object where the system certificate store is not always 
trusted. To fix this I had to load the root certificate by mounting it over the 
`certifi.where()` location in the site packages using kubernetes. When using a 
non-standard trusted certificate bundle it makes sense to load that bundle into 
the ssl context in place of `certifi.where()`. Gunicorn and Uvicorn both 
support loading CA bundles already, so we just need to pass the location of the 
certificate file in from the config / cli options.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to