Use certifi to provide CA bundle rather than depending on system

[aoberoi]

First of all, thanks for the hard work all the maintainers have put into this package!

I'd like the maintainers to reconsider a change that went in v0.48.0, namely #415.

I work on the slackclient python package, which depends on this package. Since 0.48.0 has shipped, a few of our users have run into SSL problems that originate from this package.

I understand that the issue with shipping a CA bundle from this package is that its likely to go stale, and nobody wants to maintain that. I believe the solution that requests uses for this problem is rather elegant. They simply depend on the certifi package, which has an aggregated community of maintainers to keep it up to date.

I propose that this package also take the same approach. If you all are in favor of this, I can contribute a PR ❤️.

There's two problems I think this will solve:

1. A non-zero number of systems are not configured correctly to offer a CA bundle from a location on disk. This has happened to at least two of the users of our package, but I'm sure there's many more. Being resilient to system configuration issues seems like a win.

2. The current approach is untested for Python 2. While we'd all like to move beyond these versions, I don't think its in anyone's best interest to needlessly leave these developers, apps, and companies behind.

Thanks again!

[minus7]

Hi,
I just saw this issue by coincidence; it's my patch that's causing the problem. I tried patching in certifi just now, but the longer I tried to get it right, the more I came to the conclusion that this isn't a good solution.
Your system should have an up to date cert bundle; if it doesn't, you should update your system because it'll affect other programs and just giving websocket-client newer certs via certifi is just sugarcoating the actual issue. The method used to load the default certs is supported on Python 3.4+ and 2.7.9+; if you're using an older version you should upgrade anyway.

The issue in slackapi/python-slack-sdk#334 seems to stem from a misconfigured Python installation (assuming http.client from the standard library should normally work with TLS on Mac). A workaround in that case would be to set the WEBSOCKET_CLIENT_CA_BUNDLE environment variable to a cert bundle file.

Actually, it looks like you need to do some magic to get the ssl module working on Mac. This script installs certifi and links the bundled bundle to the expected location. While I don't necessarily agree with that, this seems to be the official way.

Btw, usage of certifi in requests is not undisputed

[AlmogCohen]

If you came here due to slack issues you can simply lock this package version to 0.47.0 as mentioned in slackapi/python-slack-sdk#334 (comment). For me it worked.

[engn33r]

@aoberoi @seratch please chime in if this topic is still relevant for you and remains unresolved. I will close this for now as I am trying to clean up stale issues, and I think the slackclient team found a solution to this specific issue. I agree with minus7 that using WEBSOCKET_CLIENT_CA_BUNDLE would be one way forward that can be customized to individual use cases.

[seratch]

@engn33r Thanks for mentioning us! The Slack SDK project no longer has ongoing issues due to this 👍

[smbock42]

@engn33r I am having issues with certifications still. Not sure what to do — there are no clear solutions. Thanks!

[engn33r]

@smbock42 please make a new issue with sufficient information instead of adding to old issues that may not be related