From 90ba839c7d7e121ac5bc3865e2f9f3e02a9774ec Mon Sep 17 00:00:00 2001 From: Rodos Date: Thu, 13 Nov 2025 15:46:06 +1100 Subject: [PATCH] fix: Improve CA certificate detection with fallback chain The previous implementation incorrectly assumed empty get_ca_certs() meant broken SSL, causing false failures in GitHub Codespaces and other directory-based cert systems where certificates exist but aren't pre-loaded. It would then attempt to import certifi as a workaround, but certifi wasn't listed in requirements.txt, causing the fallback to fail with ImportError even though the system certificates would have worked fine. This commit replaces the naive check with a layered fallback approach that checks multiple certificate sources. First it checks for pre-loaded system certs (file-based systems). Then it verifies system cert paths exist (directory-based systems like Ubuntu/Debian/Codespaces). Finally it attempts to use certifi as an optional fallback only if needed. This approach eliminates hard dependencies (certifi is now optional), works in GitHub Codespaces without any setup, and fails gracefully with clear hints for resolution when SSL is actually broken rather than failing with ModuleNotFoundError. Fixes #444 --- github_backup/github_backup.py | 39 ++++++++++++++++++++++------------ requirements.txt | 1 - 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/github_backup/github_backup.py b/github_backup/github_backup.py index b0c2aef..b69ba4a 100644 --- a/github_backup/github_backup.py +++ b/github_backup/github_backup.py @@ -37,22 +37,33 @@ FNULL = open(os.devnull, "w") FILE_URI_PREFIX = "file://" logger = logging.getLogger(__name__) +# Setup SSL context with fallback chain https_ctx = ssl.create_default_context() -if not https_ctx.get_ca_certs(): - import warnings +if https_ctx.get_ca_certs(): + # Layer 1: Certificates pre-loaded from system (file-based) + pass +else: + paths = ssl.get_default_verify_paths() + if (paths.cafile and os.path.exists(paths.cafile)) or ( + paths.capath and os.path.exists(paths.capath) + ): + # Layer 2: Cert paths exist, will be lazy-loaded on first use (directory-based) + pass + else: + # Layer 3: Try certifi package as optional fallback + try: + import certifi - warnings.warn( - "\n\nYOUR DEFAULT CA CERTS ARE EMPTY.\n" - + "PLEASE POPULATE ANY OF:" - + "".join( - ["\n - " + x for x in ssl.get_default_verify_paths() if type(x) is str] - ) - + "\n", - stacklevel=2, - ) - import certifi - - https_ctx = ssl.create_default_context(cafile=certifi.where()) + https_ctx = ssl.create_default_context(cafile=certifi.where()) + except ImportError: + # All layers failed - no certificates available anywhere + sys.exit( + "\nERROR: No CA certificates found. Cannot connect to GitHub over SSL.\n\n" + "Solutions you can explore:\n" + " 1. pip install certifi\n" + " 2. Alpine: apk add ca-certificates\n" + " 3. Debian/Ubuntu: apt-get install ca-certificates\n\n" + ) def logging_subprocess( diff --git a/requirements.txt b/requirements.txt index 8b13789..e69de29 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +0,0 @@ -