diff --git a/examples/reference-gertty.yaml b/examples/reference-gertty.yaml index e049793..6c4a2e6 100644 --- a/examples/reference-gertty.yaml +++ b/examples/reference-gertty.yaml @@ -35,8 +35,12 @@ servers: # The location of Gertty's sqlite database. If you have more than one # server, you should specify a dburi for any additional servers. # dburi: ~/.gertty.db -# If your Gerrit server has a self-signed cert (eg, a test server), -# you can set this value to false to turn of certificate validation. +# If your Gerrit server uses a non-standard certificate chain (e.g. on a test +# server), you can pass a full path to a bundle of CA certificates here: +# ssl-ca-path: ~/.pki/ca-chain.pem +# In case you do not care about security and want to use a sledgehammer +# approach to SSL, you can set this value to false to turn off certificate +# validation. # verify-ssl: true # By default Gertty logs errors to a file and truncates that file each # time it starts (so that it does not grow without bound). If you diff --git a/gertty/config.py b/gertty/config.py index e6a3338..4f51b71 100644 --- a/gertty/config.py +++ b/gertty/config.py @@ -42,6 +42,7 @@ class ConfigSchema(object): v.Required('username'): str, 'password': str, 'verify-ssl': bool, + 'ssl-ca-path': str, 'dburi': str, v.Required('git-root'): str, 'log-file': str, @@ -142,6 +143,13 @@ class Config(object): self.verify_ssl = server.get('verify-ssl', True) if not self.verify_ssl: os.environ['GIT_SSL_NO_VERIFY']='true' + self.ssl_ca_path = server.get('ssl-ca-path', None) + if self.ssl_ca_path is not None: + self.ssl_ca_path = os.path.expanduser(self.ssl_ca_path) + # Gertty itself uses the Requests library + os.environ['REQUESTS_CA_BUNDLE'] = self.ssl_ca_path + # And this is to allow Git callouts + os.environ['GIT_SSL_CAINFO'] = self.ssl_ca_path self.git_root = os.path.expanduser(server['git-root']) self.dburi = server.get('dburi', 'sqlite:///' + os.path.expanduser('~/.gertty.db'))