docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon conan-io

Feature: Ability to set CA cert per remote registry

Open trivediravi13 opened this issue 1 year ago • 3 comments

Currently conan doesn't have ability to set CA cert path per remote registry. The config option "core.net.http:cacert_path" sets the CA cert path globally applicable of all remote present registries. We use two remote registries in our CI/CD https://center2.conan.io and locally hosted artifactory. By default conan doesn't have CA certificate of local artifactory so it fails. To solve it if I add artifactry CA cert through "core.net.http:cacert_path" it successfully validates artifactory but fails to validate conan center.

It would be really helpfull to have an option in "conan remote add" command to set CA cert file for that particular registry only,

trivediravi13 avatar Dec 05 '24 09:12 trivediravi13

Hi @trivediravi13

Thanks for your suggestion.

This would be pretty complicated to do, because Conan is not managing the certificates itself, but passing them to the underlying Python requests library. These are the options you have:

From https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification

  • The verify argument will be taken from Conan core.net.http:cacert_path
  • The cert argument will be taken from Conan core.net.http:client_cert

From that page you can pass to verify a directory containing multiple certificates:

You can pass verify the path to a CA_BUNDLE file or directory with certificates of trusted CAs

Or just add the certificates you need in a single file. Those are the most common approaches, not only in Conan, but as a general thing outside of Conan. Note that you would have again the same issue if you use other tools, like the JFrog-cli, the HTTP APIs, or many other tools different to Conan.

As an extra hint, please take into account that in many production scenarios, using directly ConanCenter is not the most recommended approach. See https://docs.conan.io/2/devops/using_conancenter.html. Basically, build your own packages from the conan-center-index Github repo, and put them also in your own Artifactory

memsharded avatar Dec 05 '24 10:12 memsharded

Hi @memsharded

Thanks for your prompt response. Conan center is only used for the first time when a package is not found in local artifactory. I can create a CA certificate bundle but the only challenge is conan build is running inside a container which will require us to update container image everytime a new CA cert needs to be added or updated.

Let me think on this a bit

trivediravi13 avatar Dec 05 '24 11:12 trivediravi13

Thanks for your prompt response. Conan center is only used for the first time when a package is not found in local artifactory.

Yes, even for that case, https://docs.conan.io/2/devops/using_conancenter.html is still recommended. So instead of fetching things from ConanCenter, actively pre-populating your own Artifactory building from sources the packages you want from conan-center-index Github source repo. This has some interesting advantages as described in that page.

I can create a CA certificate bundle but the only challenge is conan build is running inside a container which will require us to update container image everytime a new CA cert needs to be added or updated.

But this shouldn't happen very often, is it? We only had an issue once in the previous 7 years because of a certificate expired in Conan 1, when it had a cacert file embedded in the app.

memsharded avatar Dec 05 '24 13:12 memsharded