|
<< Click to Display Table of Contents >> Raynet One Data Hub > 25.4 > Connectors > Alphabetic Connector List > Python Certificate Handling |
Python-based connectors use the requests library with TLS certificate verification enabled by default (verify=True).
Certificate validation relies on the Python runtime's bundled certificate trust configuration, which is typically provided by the certifi package. This trust configuration contains public certificate authorities commonly used on the internet.
Internal or corporate certificate authorities are typically not included in this default trust configuration. As a result, connections to services secured with internal or self-signed certificates may fail with certificate verification errors unless the operating system trust store is used or the required certificates are explicitly trusted.
If the certificate chain cannot be validated, the connection fails with:
SSLCertVerificationError: CERTIFICATE_VERIFY_FAILED
To align with enterprise environments and existing Java/Kotlin connector behavior, Data Hub supports operating system trust store integration via the truststore Python package.
Enable OS trust integration using:
import truststore
truststore.inject_into_ssl()
When enabled, certificate validation is delegated to the operating system.
Supported trust stores:
•Windows: Windows Certificate Store.
•macOS: Keychain.
•Linux: System CA bundle (e.g., /etc/ssl/certs).
This allows connectors to validate certificates issued by internal or corporate certificate authorities that are trusted by the operating system.
When Python uses its bundled certificate bundle (typically provided by the certifi package), certificate validation relies on the trust configuration provided by the Python runtime.
This configuration typically contains public certificate authorities commonly used on the internet but usually does not include internal or corporate certificate authorities. Operating system trust policies, such as centrally managed certificate authorities and revocation settings, may therefore not automatically apply in this configuration.
When OS trust store integration is enabled via the truststore Python package, certificate validation is delegated to the operating system and follows the system's certificate and revocation policies.
When OS trust store integration is active, TLS validation follows the operating system's certificate and revocation policies.
This includes:
•CRL checks (Certificate Revocation List)
•OCSP checks (Online Certificate Status Protocol)
If revocation endpoints are not reachable (e.g., VPN limitations or isolated networks), certificate validation may fail even if the certificate chain itself is trusted.
This behavior is expected and reflects the operating system's security policies.
As an alternative to OS trust store integration, a custom certificate bundle may be specified using the REQUESTS_CA_BUNDLE environment variable.
Windows:
set REQUESTS_CA_BUNDLE=C:\path\to\ca_bundle.pem
Linux/macOS:
export REQUESTS_CA_BUNDLE=/path/to/ca_bundle.pem
When set, the connector uses the specified certificate bundle for TLS validation.
This option may be useful in:
•Restricted network environments.
•Environments where OS trust policies cannot be modified.
If an endpoint uses a self-signed or internally issued certificate, the corresponding root certificate authority must be trusted.
This can be achieved by either:
•importing the CA certificate into the operating system trust store, or
•providing a custom certificate bundle via REQUESTS_CA_BUNDLE.
After updating certificate trust configuration, restart the Data Hub Agent service before executing the connector task again.
Disabling TLS verification (verify=False) is strongly discouraged and not supported for production environments due to security risks.
Disabling certificate verification exposes the connection to risks including:
•Man-in-the-Middle attacks.
•endpoint impersonation.
•undetected certificate misuse.
It is recommended:
•proper installation of required CA certificates.
•use of the operating system trust store.
•avoiding global TLS verification disablement.