docs: how to override the trusted CA certificates (#9357)

* docs: how to override the trusted CA certificates * Update certbot/docs/using.rst Co-authored-by: ohemorange <ebportnoy@gmail.com> Co-authored-by: ohemorange <ebportnoy@gmail.com>
2026-05-28 04:34:11 -04:00 · 2022-07-20 09:17:27 +10:00 · 2022-07-20 09:17:27 +10:00 · ae7967c8ae
commit ae7967c8ae
parent 32608a142b
2 changed files with 11 additions and 1 deletions
--- a/certbot/certbot/configuration.py
+++ b/certbot/certbot/configuration.py
@ -170,7 +170,11 @@ class NamespaceConfig:

    @property
    def no_verify_ssl(self) -> bool:
-        """Disable verification of the ACME server's certificate."""
+        """Disable verification of the ACME server's certificate.
+
+        The root certificates trusted by Certbot can be overriden by setting the
+        REQUESTS_CA_BUNDLE environment variable.
+        """
        return self.namespace.no_verify_ssl

    @property
--- a/certbot/docs/using.rst
+++ b/certbot/docs/using.rst
@ -1078,6 +1078,12 @@ ACME directory. For example, if you would like to use Let's Encrypt's
 staging server, you would add ``--server
 https://acme-staging-v02.api.letsencrypt.org/directory`` to the command line.

+If Certbot does not trust the SSL certificate used by the ACME server, you
+can use the `REQUESTS_CA_BUNDLE
+<https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification>`_
+environment variable to override the root certificates trusted by Certbot. Certbot
+uses the ``requests`` library, which does not use the operating system trusted root store.
+
 If you use ``--server`` to specify an ACME CA that implements the standardized
 version of the spec, you may be able to obtain a certificate for a
 wildcard domain. Some CAs (such as Let's Encrypt) require that domain