Where does twine look for certificates?

Question

I have a personal Python repository set up with https and I'm able to upload to it using the following command:

twine upload <dist> -r <my_server> --cert <path/to/certfile>

However, I'd like to be able to upload without having to explicitly specify the CA cert location. I believe I've installed the CA cert in the correct location for my system (using How to add Certificate Authority in centos7? as guidance, and verified using wget), but I still have to call out the raw path.

How can I make twine use my alternate CA cert by default?

Answer 1

Run the following to determine where Python is looking for your CA certs:

>>> import ssl
>>> ssl.get_default_verify_paths().capath
/usr/local/etc/openssl/certs

Then put your custom cert in that directory.

Answer 2

Twine depends on Requests, which in turn relies on Certifi (https://certifi.io/, which in fact is extracted from Requests), and Certifi looks and only looks into its own, "carefully curated collection of Root Certificates", by default:

>>> import certifi

>>> certifi.where()
'/usr/local/lib/python2.7/site-packages/certifi/cacert.pem'

Which ist different from SSL.

You can either set the TWINE_CERT or REQUESTS_CA_BUNDLE environment variable to the path of your CA certs, the former will affect Twine only, the latter will affect anything that relies on Requests.