Skip to content

AP-24844: Make AP cacerts the default #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chaubold merged 2 commits into from
Mar 19, 2026
Merged

AP-24844: Make AP cacerts the default #89

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f05751
AP-24844: Make AP cacerts the default
AtR1an Mar 18, 2026
7b534a4
AP-24844: Log warning if the cacert property is set to an invalid value
chaubold Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 19 additions & 5 deletions org.knime.python3/src/main/java/org/knime/python3/PythonCaCertsMode.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,20 +73,20 @@
* Controls how the the CAs that Python trusts when using SSL are determined. The mode can be set via the system
* property {@code knime.python.cacerts} which can be set to either {@link PythonCaCertsMode#ENV} to trust the CAs of
* the Python environment or {@link PythonCaCertsMode#AP} to trust the CAs that the AP trusts. The property match is
* done case-insensitive and defaults to ENV, also if the property isn't set at all.
* done case-insensitive and defaults to AP, also if the property isn't set at all.
*
* @author Adrian Nembach, KNIME GmbH, Konstanz, Germany
*/
@SuppressWarnings("javadoc")
enum PythonCaCertsMode {
/**
* Trust the CAs of the Python environment. This is the default behavior.
* Trust the CAs of the Python environment.
*/
ENV(e -> {
// leave as is
}),
/**
* Trust the CAs that the AP trusts. Creates a .crt file with the CAs that Java trusts and points the
* Trust the CAs that the AP trusts. This is the default behavior. Creates a .crt file with the CAs that Java trusts and points the

Check warning on line 89 in org.knime.python3/src/main/java/org/knime/python3/PythonCaCertsMode.java

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Split this 139 characters long line (which is greater than 120 authorized). 


See more on https://sonarcloud.io/project/issues?id=KNIME_knime-python&issues=AZ0BNhcGUsnleY9HPrtK&open=AZ0BNhcGUsnleY9HPrtK&pullRequest=89
* following environment variables to it:
* <ul>
* <li>{@code REQUESTS_CA_BUNDLE}: Respected by requests, httpx and packages that use them.
Expand All @@ -95,6 +95,8 @@
*/
AP(PythonCaCertsMode::overwriteWithAPCerts);

private static final NodeLogger LOGGER = NodeLogger.getLogger(PythonCaCertsMode.class);

private final Consumer<Map<String, String>> m_envModifier;

PythonCaCertsMode(final Consumer<Map<String, String>> envModifier) {
Expand All @@ -107,11 +109,23 @@
private static final Set<String> CA_CERT_ENV_VARS = Set.of("REQUESTS_CA_BUNDLE", "SSL_CERT_FILE");

static PythonCaCertsMode fromProperty() {
var property = System.getProperty(PYTHON_CACERTS_PROPERTY, PythonCaCertsMode.ENV.name());
final String property = System.getProperty(PYTHON_CACERTS_PROPERTY);
if (property == null) {
// property not set: default to AP
return AP;
}
if (AP.name().equalsIgnoreCase(property)) {
return AP;
}
return ENV;
if (ENV.name().equalsIgnoreCase(property)) {
return ENV;
}
LOGGER.warnWithFormat(
"Invalid value '%s' for system property '%s'. Falling back to '%s'.",
property,
PYTHON_CACERTS_PROPERTY,
AP.name());
return AP;
}

void updateEnvironment(final Map<String, String> environment) {
Expand Down