Custom Certificate for OpenId / urllib3?

[akloster]

I'm trying to get Kinto to run in a development setup with docker, OpenID (Authentik for now) and behind SSL. However, that requires the kinto application running in the container to trust the ssl certificate of the OpenID provider, which is self-signed.

I made a custom kinto image and added the root certificate to the usual trust store. I can run wget and curl from that image no problem, but kinto and urllib3 don't want to have anything to do with it.

As far as I have come so far, urllib3 uses pyOpenSSL so it should use that truststore. Also the certificate file seems correctly installed as a pem file. There are instructions in the urllib3 documentation how to change the code to use a custom bundle, but that would mean to change kinto and pyramid...

Is there an obvious thing I'm missing?

[akloster]

I found out the problem. Urllib3 seems to usually use the "certifi" package. And one way to add a certificate to that in a docker file is to append it to the certifi bundle:

ADD dev-ca.crt .
RUN cat dev-ca.rt >> `python -m certifi`