I truly despise certificate eco systems. Every language does it a little bit differently, libraries use different environment variables, and operating systems are ever so slightly different (looking at you Ubuntu and RHEL).

Thankfully, libraries that have become defacto standard lib have well known configuration.

i.e. The requests python library uses

export REQUESTS_CA_BUNDLE=/path/to/bundle

I was running into an issue where an application was using an OpenAPI generated API in python. When attempting to connect to our service using an internally signed certificate, it failed validation.

No worries, I thought, this happens all the time, I just need to find what environment variable OpenAPI needs to add this post code generation / at runtime.

This does not exist.

We are admittedly using an older version (4.3.1) of the openapi-generator-cli. But this configuration option does not exist in the latest version (7.10.0).

For version 5, they did make it better where the ssl_ca_cert will be None and this will force urllib3 to load the system certificates (this would solve my problem as we already update the OS CA bundles in the Dockerfile).

I would prefer to see it default to an environment variable check, falling back to None if it doesn't exist, to then fall back on the OS CA bundle. This would avoid code updates when trust needs to be changed.