Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[windows][requests] Bundle default CA certs of requests #2098

Merged
merged 1 commit into from
Nov 21, 2015
Merged

[windows][requests] Bundle default CA certs of requests #2098

merged 1 commit into from
Nov 21, 2015

Conversation

olivielpeau
Copy link
Member

py2exe only includes the python files of the python packages in the
library zipped file. This causes the requests library to be shipped
without CA certs, so all the https requests made with it fail (unless
SSL cert validation is explicitely disabled).

This fixes the issue by:

  1. shipping the default certificates of requests with the Windows
    agent as an extra data file
  2. overriding the path to the default CA bundle that requests uses
    (which is done in quite an ugly way, but I haven't found any better
    way)

Notes:

  • we already ship CA certs for tornado, but to be as close as possible to the agent's behavior on other platforms I've used the default CA certs provided by requests/certifi
  • this doesn't fix SSL cert validation on the http_check on Windows, because the check uses default paths that are only valid on unix platforms: see

    dd-agent/checks.d/http_check.py

    Lines 127 to 131 in 8fed4c9

    CA_CERTS = [
    '/opt/datadog-agent/embedded/ssl/certs/cacert.pem',
    os.path.join(os.path.dirname(tornado.__file__), 'ca-certificates.crt'),
    '/etc/ssl/certs/ca-certificates.crt',
    ]
    (unless the user sets a valid path in the check's config)

@olivielpeau
[windows][requests] Bundle default CA certs of requests
ae08a75 
py2exe only includes the python files of the python packages in the
`library` zipped file. This causes the `requests` library to be shipped
without CA certs, so all the https requests made with it fail (unless
SSL cert validation is explicitely disabled).

This fixes the issue by:
1. shipping the default certificates of `requests` with the Windows
agent as an extra data file
2. overriding the path to the default CA bundle that `requests` uses
(which is done in quite an ugly way, but I haven't found any better
way)

[skip ci]
@olivielpeau olivielpeau added this to the 5.6.3 milestone Nov 20, 2015
@remh
Copy link

remh commented Nov 21, 2015

Thanks for doing this!

remh pushed a commit that referenced this pull request Nov 21, 2015
Merge pull request #2098 from DataDog/olivielpeau/windows-requests-ca…
7a40131 
…-bundle

[windows][requests] Bundle default CA certs of `requests`
@remh remh merged commit 7a40131 into master Nov 21, 2015
@olivielpeau olivielpeau deleted the olivielpeau/windows-requests-ca-bundle branch December 4, 2015 17:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix windows
Projects
None yet
Milestone
5.6.3
Development

Successfully merging this pull request may close these issues.
2 participants
@olivielpeau @remh