Allow root CA bundle to be configured

[jobec]

• I have searched the issues of this repo and believe that this is not a duplicate.
  This is a duplicate of closed issue Specify SSL Cert for extra index server? #790
• I have searched the documentation and believe that my question is not covered.

Feature Request

Allow and alternate root CA bundle to be specified from CLI and in the global/project settings file. Similar to how pip does it. This is crucial in environments where direct access to pypi is blocked and when using internal pypi mirrors with certificates signed by an internal root CA. Or with SSL traffic inspecting firewalls.

https://pip.pypa.io/en/stable/reference/pip/?highlight=proxy#cmdoption-cert

Having to set an environment variable like REQUESTS_CA_BUNDLE for an underlying package is not user-friendly and expects the user to know what poetry does under the hood.

[MichalMazurek]

Hi,
It would be also nice to disable certificate checking, I'm having a lot of issues with a self-signed certificate for private PyPI repo. I can fix that, but first, it would be great to know if this will be welcomed into the project. This can be done together with adding support for the request above.

[floer32]

can you confirm/deny whether REQUESTS_CA_BUNDLE actually works?

Having to set an environment variable like REQUESTS_CA_BUNDLE for an underlying package is not user-friendly and expects the user to know what poetry does under the hood.

Arguably that's just a documentation problem.

While encapsulation can be good, requests is extremely common, so much so that most people treat it as if it's basically part of the Python stdlib. REQUESTS_CA_BUNDLE is barely more 'under the hood' of a parameter, than PYTHONUNBUFFERED or other python-official features. So really as long as it is documented and guaranteed that requests is used, that could be enough for immediate future.

---

The bigger question, I think, is whether/how-much to expose Pip directly through Poetry.

i.e. In pytest there is the env var, PYTEST_ADDOPTS and it appends flags to any pytest invocation. there could be POETRY_PIP_ADDOPTS etc. maybe. Or instead of an env var it could be something in config; with pytest as example again, it has pytest_addopts = ... supported from its config file (.ini in that case, similar to .toml). https://docs.pytest.org/en/latest/customize.html#adding-default-options Of course it won't be exactly like pytest, it's just a worthwhile example to consider.

this under-the-hood-config question is kinda relevant to #558 (though there it is about pip wheel and --find-links configs, rather than something to do with requests or CA bundles)

---

maybe this relates to what #697 is getting at too... just generally how much to connect Poetry's high-level view to the lower-level nuts and bolts of the tools involved. vs. how much to have known-good ways to "break out" of the typical paths to customize for your needs... while remaining compatible with Poetry

[jobec]

Yes, using REQUESTS_CA_BUNDLE works.

I don’t think it’s a documentation issue though. Having to set an environment variable while there is the “poetry config” command is counter intuitive.

[drunkwcodes]

Maybe adding requests library in system requirements will make sense.

Rather than include requests config in poetry configuration, having a script to set env vars in the project sounds better.

[jobec]

From a UX point of view this isn't true. People use poetry. They shouldn't care about what's underneath.

A lot of tools use this approach (configuration options for the tool, not it's libraries)
Npm, pip, git, vagrant, ... and even requests passes some of it's config on to urllib.

[drunkwcodes]

@jobec You are probably right. It should be handled by poetry.

What I considered about is the inconsistency between the env vars and the poetry CA config.
The setting is used by custom certificate users but the majority poetry users only query PyPI.
The setting will be often overlooked and outdated, more of a concern rather than a degree of freedom.

Placing it in env vars is fine. And we can choose handling it by python or the shell. Temporary or not.
https://stackoverflow.com/questions/47285018/how-to-set-environment-variables-using-python-in-windows-linux

[kmray]

I just ran into this issue and the solution of setting REQUESTS_CA_BUNDLE will be extremely inconvenient.

We are currently using two private repositories: an internal one with a corporate certificate and a SaaS hosted one with a public certificate. If I set the REQUESTS_CA_BUNDLE to the corporate certificate, the SaaS won't work and if I set it to the regular bundle, the private one won't work.

A workaround would be to create a hybrid bundle with both in it and I could manage this on the builds but this would also require that all users set the variable to the hybrid bundle when working on the repo. Having a "cert = " field in source would solve this problem on a per source basis.

[drunkwcodes]

@kmray Is the project public to outer space?

There is no need to add field if hybrid bundle is usable to all project members.

[Caligatio]

I'm forgetting if GitHub emails people on cross ticket mentions but I have a PR, #1325, that addresses this request. The developers said in Discord that they're ranking PRs by number of votes so please +1 the PR :)

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.