PYTHON - Determine CA cert file in use

De PedroWiki

Introduction

In some cases (let's say when there's some deep inspection on your firewalls, and you use an internal PKI cert to re cypher flows) any SSL access made through Python application may fail with such errors:

root@mymachine:~# ansible-galaxy collection init
usage: ansible-galaxy collection init [-h] [-s API_SERVER] [--api-key API_KEY] [-c] [-v] [-f]
                                      [--init-path INIT_PATH]
                                      [--collection-skeleton COLLECTION_SKELETON]
                                      collection_name
ansible-galaxy collection init: error: the following arguments are required: collection_name
root@mymachine:~# ansible-galaxy collection install azure.azcollection
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)>

How to check with CA file is in use?

Open a Python console:

root@man-jpe:~# python3
Python 3.8.10 (default, Nov 14 2022, 12:59:47)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

Import certifi and request the file in use:

>>> import certifi
>>> certifi.where()
'/etc/ssl/certs/ca-certificates.crt'