Changeset 012af22

12/01/2022 08:18:33 PM (19 months ago)
Ken Moffat <ken@…>
11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, xry111/llvm18, xry111/xf86-video-removal

Explain how to use system certificates with python3.

2 edited


  • introduction/welcome/changelog.xml

    r5a8c6008 r012af22  
    4040    -->
    4141    <listitem>
     42      <para>December 1st, 2022</para>
     43      <itemizedlist>
     44        <listitem>
     45          <para>[ken] - Add page explaining how to use the system CA
     46          Certificates with the vendored Python pip installed in LFS. Fixes
     47          <ulink url="&blfs-ticket-root;17354">#17354</ulink>.</para>
     48        </listitem>
     49      </itemizedlist>
     50    </listitem>
     52    <listitem>
    4253      <para>November 30th, 2022</para>
    4354      <itemizedlist>
  • postlfs/security/make-ca.xml

    r5a8c6008 r012af22  
    275275  </sect2>
     277  <sect2 role="configuration" id="make-ca-python">
     278    <title>Using make-ca with Python3</title>
     280    <para>
     281      When <application>Python3</application> was installed in LFS it included
     282      the <application>pip3</application> module with vendored certificates
     283      from the <application>Certifi</application> module. That was necessary,
     284      but it means that whenever <command>pip3</command> is used it can reference
     285      those certificates, primarily when creating a virtual environment or when
     286      installing a module with all its wheel dependencies in one go.
     287    </para>
     289    <para>
     290      It is generally considered that the System Administrator should be in
     291      charge of which certificates are available. Now that <xref
     292      linkend="make-ca"/> and <xref linkend="p11-kit"/> have been installed and
     293      <application>make-ca</application> has been configured, it is possible to
     294      make <command>pip3</command> use the system certificates.
     295    </para>
     297    <para>
     298      The vendored certificates installed in LFS are a snapshot from when the
     299      pulled-in version of <application>Certifi</application> was created. If
     300      you regularly update the system certificates, the vendored version will
     301      become out of date.
     302    </para>
     304    <para>
     305      To use the system certificates in <application>Python3</application> you
     306      should set <envar>_PIP_STANDALONE_CERT</envar> to point to them, e.g for
     307      the <application>bash</application> shell:
     308    </para>
     310<screen><userinput>export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt</userinput></screen>
     312    <warning>
     313      <para>
     314        If you have created virtual environments, for example when testing modules,
     315        and those include the <application>Requests</application> and
     316        <application>Certifi</application> modules in <filename
     317        class="directory">~/.local/lib/python3.11/</filename> then those local
     318        modules will be used instead of the system certificates unless you
     319        remove the local modules.
     320      </para>
     321    </warning>
     323    <para>
     324      To use the system certificates in <application>Python3</application> with
     325      the BLFS profiles add the following variable to your system or personal
     326      profiles:
     327    </para>
     329<screen role="root"><userinput>
     330cat &gt; /etc/profile.d/ &lt;&lt; "EOF"
     331<literal># Begin /etc/profile.d/
     333export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt
     335# End /etc/profile.d/</literal>
     338  </sect2>
    277340  <sect2 role="content">
    278341    <title>Contents</title>
Note: See TracChangeset for help on using the changeset viewer.