With the Raven client it is possible to specify a custom CA bundle by appending the ca_cert parameter to the DSN. This is important for use of the client with on-premise installations of Sentry that use certificates signed by a custom CA. Sadly, looking at sentry_sdk.transport._make_pool, it seems this value is now hard-coded to certifi.where(). In result, users that previously used the ca_cert parameter are forced to stay on the Raven client. Thus, it would be great if you could (re-)add this feature.
Same story, this is essentially for us.
Logger shows this:
urllib3.connectionpool DEBUG Starting new HTTPS connection (1): sentry:443
urllib3.util.retry DEBUG Incremented Retry for (url='/api/4/store/'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
urllib3.connectionpool WARNING Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /api/4/store/
Same for me. The workaround we used with raven was appending the (hard to find!)
?ca_certs=/etc/ssl/certs/ca-cert-mycert.pem option to the DSN, it doesn't work now and we cannot use the new sentry sdk.
Thanks, I will discuss it with the team. Ideally we would want to align the exact semantics and naming with other SDKs
@bpereto @marcosox @theMarix is there a reason why you can't install that certificate as a globally trusted one on your machine?
In our case we do have that certificate installed globally on the machines. It will work if you simply rely on the systems libopenssl. In fact, with Raven we actually set the ca_path to the system certificate bundle: ?ca_certs=/etc/ssl/certs/ca-certificates.crt". However, the code of the SDK explicitly uses the certificate bundle from the certifi package.
Ok thanks, figured out why we do this too. Will try to come up with something.
Could somebody test if using #168 is self-explanatory enough?
This looks good to me. I fear people won't find it unless explicitly looking for it in the code, though.
@theMarix I will document it here: https://docs.sentry.io/error-reporting/configuration/?platform=javascript
Perfect, then. :)
0.5.5 has been released with this feature. Docs here: https://docs.sentry.io/error-reporting/configuration/?platform=python#ca-certs
Most helpful comment
0.5.5 has been released with this feature. Docs here: https://docs.sentry.io/error-reporting/configuration/?platform=python#ca-certs