Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
tools:certificates [2024/02/05 13:04] – [UPMC Certificates] willtools:certificates [2025/05/23 16:17] (current) – [Python] will
Line 15: Line 15:
   - Click ''View Certificates...''   - Click ''View Certificates...''
   - ''Authorities'' and ''Import''   - ''Authorities'' and ''Import''
 +
 +===== Containers =====
 +
 +For some docker and singularity containers, you can bind mount [[:admin:it:rhea]]'s certificates (allows UPMC root cert) to the containers. Additionally, for python tools using the request library ([[:tools:fmriprep]], [[:tools:xcpd]]), set ''REQUESTS_CA_BUNDLE'' to use those certs within python too (see [[#python]]).
 +
 +In docker, that looks like
 +<code=bash>
 +docker run \
 + -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
 + -e REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \
 + ...
 +</code> 
 +
  
 ===== Terminal ===== ===== Terminal =====
Line 21: Line 34:
 To allow UPMC's cert in the SSL chain on debian, run: To allow UPMC's cert in the SSL chain on debian, run:
 <code> <code>
-  # as root +# as root 
-  cd /usr/local/share/ca-certificates/ +[ $(id -u) -ne 0 ] && echo "with sudo" && exit 1 
-  cert_loc=http://upmccrl.upmc.com/CDP/ + 
-  for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do +cd /usr/local/share/ca-certificates/ 
-     wget "$cert_loc/$crt.crt" -O "$crt.crt-der" +cert_loc=https://upmccrl.upmc.com/cdp 
-     # added 20230707 +# 20250313 - added "UPMC ROOT CA 2023" via Nathan Safran 
-     openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM +for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA "UPMC ROOT CA 2023"; do 
-  done +   ! wget "$cert_loc/$crt.crt" -O "$crt.crt-der" && echo "ERROR: cannot get '$crt'" && continue 
-  update-ca-certificates+   # added 20230707 
 +   openssl x509 -in "$crt.crt-der-out "$crt.crt-outform PEM 
 +done 
 +update-ca-certificates
 </code> </code>
  
Line 62: Line 78:
 ==== Python ==== ==== Python ====
  
-newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)+For python tools that internally use the ''requests'' library ([[:tools:fmriprep]], [[:tools:qsiprep]], [[:tools:xcpd]], [[:tools:templateflow]]), we can force the python to use the system's certificates: 
 +<code> 
 +export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt 
 +</code> 
 + 
 + 
 +=== venv/cirtifi === 
 +For python virtual environments, you may also want to manually append certificates to ''cacert.pem'' bundled with ''certifi'' 
 +<code> 
 +pycert=$(python -c 'import certifi,os; print(os.readlink(os.path.dirname(certifi.__file__)+"/cacert.pem"))'
 + 
 +cat $newcert_pem >> $pycert 
 +</code> 
 + 
 +(Will note: ''cirtifi'' munged also useful for [[:tools:mitmproxy]]) 
 + 
 +=== urllib === 
 + 
 +Newer ''urllib3'' may also cause problems with legacy certs. (UNCONFIRMED 20240117)
 <code> <code>
 pip install urllib3==1.26.12 pip install urllib3==1.26.12
 </code> </code>