You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SDK currently exposes a ca_certs variable that allows setting the certificate bundle file for HTTPS cert verification within the SDK itself (for certs presented by the Sentry server) - this is useful for corporate proxies doing HTTPS hijacking or self-hosted instances with certs issued under internal CAs. Unfortunately, this requires modifying the Sentry SDK integration to point to the required CA bundle file.
Requests uses the REQUESTS_CA_BUNDLE environment variable to point at a certificate bundle with no code modification. Lots of software, including python-httpx, supports the SSL_CERT_FILE env var to do the same thing.
Solution Brainstorm
If ca_certs is not set, the SDK could evaluate SSL_CERT_FILE and/or REQUESTS_CA_BUNDLE variables for a CA bundle path, before falling back to Certifi (which ships an embedded Mozilla CA bundle file).
I'd like to send a PR to add this, but wanted to ask if this is something you'd accept first.
The text was updated successfully, but these errors were encountered:
Many libraries use the SSL_CERT_FILE environment variable to point at a
CA bundle to use for HTTPS certificate verification. This is often used
in corporate environments with internal CAs or HTTPS hijacking proxies,
where the Sentry server presents a certificate not signed by one of the
CAs bundled with Certifi. Additionally, Requests, Python's most popular
HTTP client library, uses the REQUESTS_CA_BUNDLE variable instead.
Use the SSL_CERT_FILE or REQUESTS_CA_BUNDLE vars if present to set the
default CA bundle.
FixesgetsentryGH-3158
Problem Statement
The SDK currently exposes a ca_certs variable that allows setting the certificate bundle file for HTTPS cert verification within the SDK itself (for certs presented by the Sentry server) - this is useful for corporate proxies doing HTTPS hijacking or self-hosted instances with certs issued under internal CAs. Unfortunately, this requires modifying the Sentry SDK integration to point to the required CA bundle file.
Requests uses the
REQUESTS_CA_BUNDLE
environment variable to point at a certificate bundle with no code modification. Lots of software, including python-httpx, supports theSSL_CERT_FILE
env var to do the same thing.Solution Brainstorm
If
ca_certs
is not set, the SDK could evaluateSSL_CERT_FILE
and/orREQUESTS_CA_BUNDLE
variables for a CA bundle path, before falling back to Certifi (which ships an embedded Mozilla CA bundle file).I'd like to send a PR to add this, but wanted to ask if this is something you'd accept first.
The text was updated successfully, but these errors were encountered: