Best practices

If I need to authenticate with a certificate, I have a few options available:

  1. Add the certificate to the bundle packaged with requests/certifi

  2. Add the certificate to the system store and override the bundle used by requests (i.e. with the truststore package)

  3. Invoke the certificate when making calls

Method 3 is the one I see referenced in most answers, but it requires that I maintain a separate certificate bundle, and packages that use requests will have varying methods/degrees of support for passing certificates. Is there anything inherently wrong with the first 2 methods? Is one preferable to the other?

Improve this question

3 Replies 3

President James K. Polk

You need to clarify whether you are talking about your client authenticating to a server (which is not very common), or a server authenticating to your client, which must always happen.

Improve this answer
MortenB

Are you creating an application to handle certificates or are you adding tls to your client to serve a python app written in Flask/FastApi/Django?

If the last option, use option 3. but use an apache/nginx proxy and preferably an Acme client like certboot/acme.sh to handle the updates.

In apache you use ProxyPass and ProxyPassReverse to map you myapp running on:

http://<internal-ip>:8080 to https://<your tls domain>/myapp

  ProxyPass /myapp http://<internal-ip>:8080/myapp
  ProxyPassReverse /myapp http://<internal-ip>:8080/myapp

If you use a fixed certificate then just skip the acme update part. But you then have to handle it manually when it expires in max 3years.

Using a proxy adds benefits like ratelimiting, filtering, logging, security scanning etc. Performance wise You needs lots of python apps to flood a apache or nginx proxy.

Improve this answer
Chris Decker

@President James K. Polk thanks for the clarifying question, I worded it poorly. In this case it's the server authenticating to our client application, where we get a 'unable to get local issuer certificate' error if the certificate is not referenced in the call.

Improve this answer

Your Reply

By clicking “Post Your Reply”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.