From 0539aed2fe8b94d6b84e6e5fa4eb48d5d6633bc7 Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <baptiste.jonglez@inria.fr>
Date: Fri, 6 May 2022 11:48:34 +0200
Subject: [PATCH] Load system CA bundle by default to solve SSL errors inside
 Grid'5000

---
 grid5000/__init__.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/grid5000/__init__.py b/grid5000/__init__.py
index 8850e50..0dff2ec 100644
--- a/grid5000/__init__.py
+++ b/grid5000/__init__.py
@@ -19,6 +19,7 @@ from .__version__ import __version__
 logger = logging.getLogger(__name__)
 
 DEFAULT_BASE_URL = "https://api.grid5000.fr/stable"
+DEFAULT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
 USER_AGENT = "python-grid5000 %s" % __version__
 
 
@@ -61,7 +62,7 @@ class Grid5000(object):
         uri=DEFAULT_BASE_URL,
         username=None,
         password=None,
-        verify_ssl=True,
+        verify_ssl=None,
         timeout=None,
         session=None,
         sslcert=None,
@@ -74,6 +75,18 @@ class Grid5000(object):
         self.username = username
         self.password = password
         self.verify_ssl = verify_ssl
+        if self.verify_ssl is None:
+            # By default, requests ignores trusted CA from the system
+            # (it uses certifi instead).
+            # On Grid'5000 frontend and nodes, it is necessary to use the
+            # system CA bundle, because it includes the root Grid'5000 CA
+            # allowing to validate the internal API certificate.
+            ca_bundle = Path(DEFAULT_CA_BUNDLE)
+            if ca_bundle.exists():
+                self.verify_ssl = ca_bundle
+            else:
+                # As a last resort, use certifi
+                self.verify_ssl = True
 
         self.client_ssl = False
         self.client_cert = None
-- 
GitLab