Release version 0.51.2

fix: Improve CA certificate detection with fallback chain

CHANGES.rst

@@ -1,10 +1,38 @@
 Changelog
 =========
 
-0.51.1 (2025-11-16)
+0.51.2 (2025-11-16)
 -------------------
 ------------------------
 
+Fix
+~~~
+- Improve CA certificate detection with fallback chain. [Rodos]
+
+  The previous implementation incorrectly assumed empty get_ca_certs()
+  meant broken SSL, causing false failures in GitHub Codespaces and other
+  directory-based cert systems where certificates exist but aren't pre-loaded.
+  It would then attempt to import certifi as a workaround, but certifi wasn't
+  listed in requirements.txt, causing the fallback to fail with ImportError
+  even though the system certificates would have worked fine.
+
+  This commit replaces the naive check with a layered fallback approach that
+  checks multiple certificate sources. First it checks for pre-loaded system
+  certs (file-based systems). Then it verifies system cert paths exist
+  (directory-based systems like Ubuntu/Debian/Codespaces). Finally it attempts
+  to use certifi as an optional fallback only if needed.
+
+  This approach eliminates hard dependencies (certifi is now optional), works
+  in GitHub Codespaces without any setup, and fails gracefully with clear hints
+  for resolution when SSL is actually broken rather than failing with
+  ModuleNotFoundError.
+
+  Fixes #444
+
+
+0.51.1 (2025-11-16)
+-------------------
+
 Fix
 ~~~
 - Prevent duplicate attachment downloads. [Rodos]

github_backup/__init__.py

@@ -1 +1 @@
-__version__ = "0.51.1"
+__version__ = "0.51.2"

github_backup/github_backup.py

@@ -37,22 +37,33 @@ FNULL = open(os.devnull, "w")
 FILE_URI_PREFIX = "file://"
 logger = logging.getLogger(__name__)
 
+# Setup SSL context with fallback chain
 https_ctx = ssl.create_default_context()
-if not https_ctx.get_ca_certs():
+if https_ctx.get_ca_certs():
-    import warnings
+    # Layer 1: Certificates pre-loaded from system (file-based)
+    pass
+else:
+    paths = ssl.get_default_verify_paths()
+    if (paths.cafile and os.path.exists(paths.cafile)) or (
+        paths.capath and os.path.exists(paths.capath)
+    ):
+        # Layer 2: Cert paths exist, will be lazy-loaded on first use (directory-based)
+        pass
+    else:
+        # Layer 3: Try certifi package as optional fallback
+        try:
+            import certifi
 
-    warnings.warn(
+            https_ctx = ssl.create_default_context(cafile=certifi.where())
-        "\n\nYOUR DEFAULT CA CERTS ARE EMPTY.\n"
+        except ImportError:
-        + "PLEASE POPULATE ANY OF:"
+            # All layers failed - no certificates available anywhere
-        + "".join(
+            sys.exit(
-            ["\n - " + x for x in ssl.get_default_verify_paths() if type(x) is str]
+                "\nERROR: No CA certificates found. Cannot connect to GitHub over SSL.\n\n"
-        )
+                "Solutions you can explore:\n"
-        + "\n",
+                "  1. pip install certifi\n"
-        stacklevel=2,
+                "  2. Alpine: apk add ca-certificates\n"
-    )
+                "  3. Debian/Ubuntu: apt-get install ca-certificates\n\n"
-    import certifi
+            )
-
-    https_ctx = ssl.create_default_context(cafile=certifi.where())
 
 
 def logging_subprocess(

requirements.txt

@@ -1 +0,0 @@
-