Skip to content

Certifi overrides system CA config on RHEL/CentOS #859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vinzent opened this issue Jun 27, 2019 · 13 comments
Open

Certifi overrides system CA config on RHEL/CentOS #859

vinzent opened this issue Jun 27, 2019 · 13 comments
Assignees
@palnabarun
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@vinzent
Copy link

vinzent commented Jun 27, 2019

For RHEL/CentOS users using certifi like here https://github.com/kubernetes-client/python/blob/master/kubernetes/client/rest.py#L77 will forcefully override system provided CA configuration and reset it to the Mozilla CA pem. Missing any internal CA certs and thus failing with CERTIFICATE_VERIFY_FAILED errors.

See also: openshift/openshift-restclient-python#198
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 25, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 25, 2019
@sector2000
Copy link

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Nov 13, 2019
@sector2000
Copy link

This issue is still unresolved in latest version 10.0.1

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 11, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 12, 2020
@palnabarun
Copy link
Member

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 25, 2020
@palnabarun
Copy link
Member

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Mar 25, 2020
@palnabarun
Copy link
Member

/assign

@nirousseau nirousseau mentioned this issue Mar 31, 2020
Open
@palnabarun
Copy link
Member

Related: #1131

@0xf10413
Copy link

0xf10413 commented Sep 7, 2021
edited
Loading

Hi, we just hit this issue today and i was very surprised when i read the code.
Basically, if the CA isn't explicitly set in kubeconfig, it will use an internal bundle of certificates.

That's a very surprising behaviour to me, and it seems contrary to what the openshift oc client is doing.
Would it be possible to at least introduce an environment variable to override this feature and default on the OS' CA ?

(not necessarily like #1131, rather, something that leaves the CA configuration unset so that it defaults on the OS')

EDIT: i just saw on #1276 that this file is automatically generated… would you consider a patch ?

@0xf10413
Copy link

0xf10413 commented Sep 9, 2021

Hi again, after digging a bit more, it looks like the project you use for generating your files has actually fixed this issue:
OpenAPITools/openapi-generator#8108

According to the sidebar, it is part of version 5.0.0.
It seems that you are on version 4.3.0.

Is there any plan to upgrade that ?

@palnabarun palnabarun mentioned this issue Oct 25, 2021
Closed
@palnabarun
Copy link
Member

@0xf10413 -- Created #1589 to update the OpenAPI Generator used for generating the client.

@roycaihw roycaihw mentioned this issue Mar 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@palnabarun palnabarun

Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vinzent @0xf10413 @palnabarun @k8s-ci-robot @sector2000 @fejta-bot