How To Trust Certificates For Setuptools

I've had quite a hard time trying to figure out how to get my root CA and intermediate CA trusted in order to download artifacts from my Nexus repository using setuptools Python v3

Solution 1:

Disclaimer: this is just how I got this to work. This is not intended to be the end all be all solution, nor do I think it should be. IMHO setuptools should be configurable or work differently than it does. If you have a different solution, please post it!

This took reading setuptools code in the file ssl_support.py. For my case I needed both certificates to be trusted. Important bits below:

#setuptools/ssl_support.py
...
cert_paths = """
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/usr/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root.crt
/etc/ssl/cert.pem
/System/Library/OpenSSL/certs/cert.pem
/usr/local/share/certs/ca-root-nss.crt
/etc/ssl/ca-bundle.pem
""".strip().split()
...
deffind_ca_bundle():
    """Return an existing CA bundle path, or None"""
    extant_cert_paths = filter(os.path.isfile, cert_paths)
    return (
        get_win_certfile()
        ornext(extant_cert_paths, None)
        or _certifi_where()
    )

That hard-coded list of filepaths are extant filtered in order and used as an argument to a urllib.request.build_opener call to make the request. You need to find the first extant filepath and add your certificates to that file. In my case, it was /etc/ssl/certs/ca-certificates.crt.