Load system CA bundle by default to solve SSL errors inside Grid'5000

grid5000/__init__.py

@@ -19,6 +19,7 @@ from .__version__ import __version__
 logger = logging.getLogger(__name__)
 
 DEFAULT_BASE_URL = "https://api.grid5000.fr/stable"
+DEFAULT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"
 USER_AGENT = "python-grid5000 %s" % __version__
 
 
@@ -61,7 +62,7 @@ class Grid5000(object):
         uri=DEFAULT_BASE_URL,
         username=None,
         password=None,
-        verify_ssl=True,
+        verify_ssl=None,
         timeout=None,
         session=None,
         sslcert=None,
@@ -74,6 +75,18 @@ class Grid5000(object):
         self.username = username
         self.password = password
         self.verify_ssl = verify_ssl
+        if self.verify_ssl is None:
+            # By default, requests ignores trusted CA from the system
+            # (it uses certifi instead).
+            # On Grid'5000 frontend and nodes, it is necessary to use the
+            # system CA bundle, because it includes the root Grid'5000 CA
+            # allowing to validate the internal API certificate.
+            ca_bundle = Path(DEFAULT_CA_BUNDLE)
+            if ca_bundle.exists():
+                self.verify_ssl = ca_bundle
+            else:
+                # As a last resort, use certifi
+                self.verify_ssl = True
 
         self.client_ssl = False
         self.client_cert = None