Re: [Pulp-list] Custom list of CA certificates for pulp-cli
Yes, it works. Thank you!
пт, 26 нояб. 2021 г. в 20:59, Matthias Dellweg :
> Can you please verify that this change solves your problem:
> https://github.com/pulp/pulp-cli/pull/434
>
> Thank you!
>
> On Fri, Nov 26, 2021 at 6:09 PM Konstantin M. Khankin
> wrote:
> >
> > Hello!
> >
> > Today I got unpleasantly surprised about the inability to change the
> list of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli
> uses the requests library, so I expected to be able to just specify
> REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work. So I
> added some print_tb() here and there and saw this:
> >
> > ...
> > File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py",
> line 88, in upload
> > artifact_href = PulpArtifactContext(pulp_ctx).upload(file,
> chunk_size)
> > File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line
> 43, in upload
> > result = self.list(limit=1, offset=0, parameters={"sha256":
> sha256_digest})
> > File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
> line 436, in list
> > result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID,
> parameters=payload)
> > File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
> line 134, in call
> > result = self.api.call(operation_id, *args, **kwargs)
> > File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py",
> line 263, in call
> > response: requests.Response = self._session.send(request)
> > File "/usr/local/lib/python3.6/site-packages/requests/sessions.py",
> line 657, in send
> > r = adapter.send(request, **kwargs)
> > File "/usr/local/lib/python3.6/site-packages/requests/adapters.py",
> line 420, in send
> > self.cert_verify(conn, request.url, verify, cert)
> > ...
> >
> > pulpcore/cli/common/openapi.py calls requests.Session.send(). This
> works, but it means merge_environment_settings is not called, because it is
> in request() (which later calls send()). This means envvar is not applied.
> >
> > I tried to abuse Python's dynamic typing and change the value of the
> verify_ssl flag to what I'd put into the envvar, but click is smart enough
> to catch this :(
> >
> > I found the FR to support custom CA certificates. It may be that this FR
> is as easy as changing send() to request(), allowing users to use an
> already existing mechanism from the requests library.
> >
> > Is there something which I missed?
> >
> > Thanks!
> >
> > --
> > Konstantin Khankin
> > ___
> > Pulp-list mailing list
> > [email protected]
> > https://listman.redhat.com/mailman/listinfo/pulp-list
>
>
--
Ханкин Константин
___
Pulp-list mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Custom list of CA certificates for pulp-cli
Can you please verify that this change solves your problem:
https://github.com/pulp/pulp-cli/pull/434
Thank you!
On Fri, Nov 26, 2021 at 6:09 PM Konstantin M. Khankin
wrote:
>
> Hello!
>
> Today I got unpleasantly surprised about the inability to change the list of
> CA certificates pulp-cli uses to verify SSL connections. Pulp-cli uses the
> requests library, so I expected to be able to just specify REQUESTS_CA_BUNDLE
> envvar and be happy. However, this did not work. So I added some print_tb()
> here and there and saw this:
>
> ...
> File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py", line
> 88, in upload
> artifact_href = PulpArtifactContext(pulp_ctx).upload(file, chunk_size)
> File "/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py",
> line 43, in upload
> result = self.list(limit=1, offset=0, parameters={"sha256":
> sha256_digest})
> File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line
> 436, in list
> result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID,
> parameters=payload)
> File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py", line
> 134, in call
> result = self.api.call(operation_id, *args, **kwargs)
> File
> "/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py", line
> 263, in call
> response: requests.Response = self._session.send(request)
> File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line
> 657, in send
> r = adapter.send(request, **kwargs)
> File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line
> 420, in send
> self.cert_verify(conn, request.url, verify, cert)
> ...
>
> pulpcore/cli/common/openapi.py calls requests.Session.send(). This works, but
> it means merge_environment_settings is not called, because it is in request()
> (which later calls send()). This means envvar is not applied.
>
> I tried to abuse Python's dynamic typing and change the value of the
> verify_ssl flag to what I'd put into the envvar, but click is smart enough to
> catch this :(
>
> I found the FR to support custom CA certificates. It may be that this FR is
> as easy as changing send() to request(), allowing users to use an already
> existing mechanism from the requests library.
>
> Is there something which I missed?
>
> Thanks!
>
> --
> Konstantin Khankin
> ___
> Pulp-list mailing list
> [email protected]
> https://listman.redhat.com/mailman/listinfo/pulp-list
___
Pulp-list mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/pulp-list
[Pulp-list] Custom list of CA certificates for pulp-cli
Hello!
Today I got unpleasantly surprised about the inability to change the list
of CA certificates pulp-cli uses to verify SSL connections. Pulp-cli uses
the requests library, so I expected to be able to just
specify REQUESTS_CA_BUNDLE envvar and be happy. However, this did not work.
So I added some print_tb() here and there and saw this:
...
File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/python/content.py",
line 88, in upload
artifact_href = PulpArtifactContext(pulp_ctx).upload(file, chunk_size)
File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/core/context.py", line
43, in upload
result = self.list(limit=1, offset=0, parameters={"sha256":
sha256_digest})
File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
line 436, in list
result: Dict[str, Any] = self.pulp_ctx.call(self.LIST_ID,
parameters=payload)
File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/context.py",
line 134, in call
result = self.api.call(operation_id, *args, **kwargs)
File
"/usr/local/lib/python3.6/site-packages/pulpcore/cli/common/openapi.py",
line 263, in call
response: requests.Response = self._session.send(request)
File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line
657, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line
420, in send
self.cert_verify(conn, request.url, verify, cert)
...
pulpcore/cli/common/openapi.py
calls requests.Session.send
().
This works, but it means merge_environment_settings
is
not called, because it is in request() (which later calls send()). This
means envvar is not applied.
I tried to abuse Python's dynamic typing and change the value of the
verify_ssl flag to what I'd put into the envvar, but click is smart enough
to catch this :(
I found the FR to support
custom CA certificates. It may be that this FR is as easy as changing
send() to request(), allowing users to use an already existing mechanism
from the requests library.
Is there something which I missed?
Thanks!
--
Konstantin Khankin
___
Pulp-list mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/pulp-list
