From ae7967c8aed28a8416a329e5eeac117c1672c878 Mon Sep 17 00:00:00 2001 From: alexzorin Date: Wed, 20 Jul 2022 09:17:27 +1000 Subject: [PATCH] docs: how to override the trusted CA certificates (#9357) * docs: how to override the trusted CA certificates * Update certbot/docs/using.rst Co-authored-by: ohemorange Co-authored-by: ohemorange --- certbot/certbot/configuration.py | 6 +++++- certbot/docs/using.rst | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/certbot/certbot/configuration.py b/certbot/certbot/configuration.py index d5ad87599..dd40a096f 100644 --- a/certbot/certbot/configuration.py +++ b/certbot/certbot/configuration.py @@ -170,7 +170,11 @@ class NamespaceConfig: @property def no_verify_ssl(self) -> bool: - """Disable verification of the ACME server's certificate.""" + """Disable verification of the ACME server's certificate. + + The root certificates trusted by Certbot can be overriden by setting the + REQUESTS_CA_BUNDLE environment variable. + """ return self.namespace.no_verify_ssl @property diff --git a/certbot/docs/using.rst b/certbot/docs/using.rst index 0038d1f83..c4f55bc02 100644 --- a/certbot/docs/using.rst +++ b/certbot/docs/using.rst @@ -1078,6 +1078,12 @@ ACME directory. For example, if you would like to use Let's Encrypt's staging server, you would add ``--server https://acme-staging-v02.api.letsencrypt.org/directory`` to the command line. +If Certbot does not trust the SSL certificate used by the ACME server, you +can use the `REQUESTS_CA_BUNDLE +`_ +environment variable to override the root certificates trusted by Certbot. Certbot +uses the ``requests`` library, which does not use the operating system trusted root store. + If you use ``--server`` to specify an ACME CA that implements the standardized version of the spec, you may be able to obtain a certificate for a wildcard domain. Some CAs (such as Let's Encrypt) require that domain