I’ve hit another pothole trying to secure my Libretime setup. When I tried to upload a file for the first time, it just sits in Pending import status. Looking in both analyzer.log and liquidsoap.log, this error appears repeatedly:
‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)’
The certificates defined in nginx are from an internal corporate CA, so I think that’s called privately trusted, as compared to publicly trusted if I’d used a 3rd party CA. Is there a setting to allow these certs?
Googling around I’ve found mention of environment variables REQUESTS_CA_BUNDLE and SSL_CERT_FILE that can be set to point at a certificate bundle. Are either of these variables supported by the SSL libraries Libretime uses?
Yes, I think you should try to use REQUESTS_CA_BUNDLE. If I remember correctly all in between service HTTP request in the project should go through the request library.
I could add it as a Environment= to the systemd files, should it go in all of them? I assume though if I run LibreTime install again in the future these would have to be added again. Is there a means to create an EnvironmentFile that would be remembered across installs?
I’ve set the variable in the service files and restarted and analyzer is still getting same error. I’m using the same certificate bundle that nginx is using. Does the ssl library perhaps expect the certificates in a different format?