Sentry-python: Support for custom CA bundles

Created on 8 Nov 2018  路  11Comments  路  Source: getsentry/sentry-python

With the Raven client it is possible to specify a custom CA bundle by appending the ca_cert parameter to the DSN. This is important for use of the client with on-premise installations of Sentry that use certificates signed by a custom CA. Sadly, looking at sentry_sdk.transport._make_pool, it seems this value is now hard-coded to certifi.where(). In result, users that previously used the ca_cert parameter are forced to stay on the Raven client. Thus, it would be great if you could (re-)add this feature.

enhancement

Most helpful comment

0.5.5 has been released with this feature. Docs here: https://docs.sentry.io/error-reporting/configuration/?platform=python#ca-certs

All 11 comments

Same story, this is essentially for us.

Logger shows this:

urllib3.connectionpool DEBUG    Starting new HTTPS connection (1): sentry:443
urllib3.util.retry DEBUG    Incremented Retry for (url='/api/4/store/'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
urllib3.connectionpool WARNING  Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),)': /api/4/store/

Same for me. The workaround we used with raven was appending the (hard to find!)
?ca_certs=/etc/ssl/certs/ca-cert-mycert.pem option to the DSN, it doesn't work now and we cannot use the new sentry sdk.

Thanks, I will discuss it with the team. Ideally we would want to align the exact semantics and naming with other SDKs

@bpereto @marcosox @theMarix is there a reason why you can't install that certificate as a globally trusted one on your machine?

In our case we do have that certificate installed globally on the machines. It will work if you simply rely on the systems libopenssl. In fact, with Raven we actually set the ca_path to the system certificate bundle: ?ca_certs=/etc/ssl/certs/ca-certificates.crt". However, the code of the SDK explicitly uses the certificate bundle from the certifi package.

Ok thanks, figured out why we do this too. Will try to come up with something.

Could somebody test if using #168 is self-explanatory enough?

This looks good to me. I fear people won't find it unless explicitly looking for it in the code, though.

Perfect, then. :)

0.5.5 has been released with this feature. Docs here: https://docs.sentry.io/error-reporting/configuration/?platform=python#ca-certs

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lucas03 picture lucas03  路  3Comments

CasperCL picture CasperCL  路  7Comments

hyperknot picture hyperknot  路  4Comments

zegerius picture zegerius  路  4Comments

amureki picture amureki  路  6Comments