Hi, we're using the Python API in a Windows env, where corporate CAs are deployed through the Windows cert store.
IIUC there is no built-in way to handle (what I assume is) this very common scenario.
When no ca_certs arg or SHOTGUN_API_CACERTS is set, the API falls back to using its certifi CA bundle via Shotgun._get_certs_file().
We've worked around this locally by monkeypatching the vendored httplib2, but obviously this is not ideal. We also considered dumping out the OS store to a file on initialization and pointing to that- again, not ideal.
Would there be any issue with:
- Allowing
_get_certs_file() to return None on Windows (and possibly macOS) when there is no CA file specified, either via init or SHOTGUN_API_CACERTS
- Updating the vendored
httplib2 so ca_certs=None uses ssl.create_default_context()?
Hi, we're using the Python API in a Windows env, where corporate CAs are deployed through the Windows cert store.
IIUC there is no built-in way to handle (what I assume is) this very common scenario.
When no
ca_certsarg orSHOTGUN_API_CACERTSis set, the API falls back to using its certifi CA bundle viaShotgun._get_certs_file().We've worked around this locally by monkeypatching the vendored
httplib2, but obviously this is not ideal. We also considered dumping out the OS store to a file on initialization and pointing to that- again, not ideal.Would there be any issue with:
_get_certs_file()to returnNoneon Windows (and possibly macOS) when there is no CA file specified, either via init orSHOTGUN_API_CACERTShttplib2soca_certs=Noneusesssl.create_default_context()?