Skip to content

Update README.md for ssl.ca.certificates #791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update README.md for ssl.ca.certificates #791

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,16 +270,22 @@ authentication is used).

The client will use CA certificates to verify the broker's certificate.
The embedded OpenSSL library will look for CA certificates in `/usr/lib/ssl/certs/`
or `/usr/lib/ssl/cacert.pem`. CA certificates are typically provided by the
Linux distribution's `ca-certificates` package which needs to be installed
through `apt`, `yum`, et.al.
or `/usr/lib/ssl/cacert.pem`.

On Linux, CA certificates are typically provided by the distribution's `ca-certificates`
package which needs to be installed through `apt`, `yum`, et.al.

On MacOS, different versions can store CA certificates in different locations.
On MacOS Mojave and later, for instance, this is usually ` '/private/etc/ssl/cert.pem'`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is entirely accurate. I think the bundled openssl version may look there but MacOS itself stores them in the keychain database. I believe this to be the reason why openssl s_client -connect works but the Python client complains. It'd be good to verify this statement prior to proceeding as this may be one of those "works on my machine" type situations rather than works on MacOS Mojave+.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent formatting, drop the '.


If your system stores CA certificates in another location you will need to
configure the client with `'ssl.ca.location': '/path/to/cacert.pem'`.

Alternatively, the CA certificates can be provided by the [certifi](https://pypi.org/project/certifi/)
Python package. To use certifi, add an `import certifi` line and configure the
client's CA location with `'ssl.ca.location': certifi.where()`.
A more generic and fool-proof way to ensure SSL works is to install the
[certifi](https://pypi.org/project/certifi/) Python package, which provides its own
bundled CA certificates, much like how Java works. To use certifi, install it, and then
add an `import certifi` line and configure the client's CA location with
`'ssl.ca.location': certifi.where()`.


Prerequisites
Expand Down