From 63de52f511f9c741fac68877d5433fb23c833f4a Mon Sep 17 00:00:00 2001 From: Andrei Tsaregorodtsev Date: Mon, 3 Nov 2025 14:05:10 +0100 Subject: [PATCH 1/3] fix: use DIRACX_CA_PATH if set to communicate to diracx and minIO --- src/DIRAC/FrameworkSystem/Utilities/diracx.py | 2 ++ .../WorkloadManagementSystem/Service/SandboxStoreHandler.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/DIRAC/FrameworkSystem/Utilities/diracx.py b/src/DIRAC/FrameworkSystem/Utilities/diracx.py index 631e4167c3e..1174fce881f 100644 --- a/src/DIRAC/FrameworkSystem/Utilities/diracx.py +++ b/src/DIRAC/FrameworkSystem/Utilities/diracx.py @@ -27,6 +27,8 @@ DEFAULT_TOKEN_CACHE_SIZE = 1024 legacy_exchange_session = requests.Session() +diracxUrl = gConfig.getValue("/DiracX/URL") +legacy_exchange_session.verify = DiracxPreferences(url=diracxUrl).ca_path or True def get_token( diff --git a/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py b/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py index d4da3c70735..b5e23557077 100755 --- a/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py +++ b/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py @@ -126,7 +126,8 @@ def _getFromClient(self, fileId, token, fileSize, fileHelper=None, data=""): gLogger.debug("Uploading sandbox for", res.pfn) files = {"file": ("file", tar_fh)} - response = requests.post(res.url, data=res.fields, files=files, timeout=300) + verify = os.environ.get("DIRACX_CA_PATH", True) + response = requests.post(res.url, data=res.fields, files=files, timeout=300, verify=verify) gLogger.debug("Sandbox uploaded", f"for {res.pfn} with status code {response.status_code}") # TODO: Handle this error better From beaf1fdcdf10c155c382f6ee8cc3da03fcd14a20 Mon Sep 17 00:00:00 2001 From: Andrei Tsaregorodtsev Date: Mon, 3 Nov 2025 17:41:04 +0100 Subject: [PATCH 2/3] fix: use CAs from DIRACX_CA_PATH for downloads also --- .../WorkloadManagementSystem/Service/SandboxStoreHandler.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py b/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py index b5e23557077..653a9a8883f 100755 --- a/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py +++ b/src/DIRAC/WorkloadManagementSystem/Service/SandboxStoreHandler.py @@ -372,7 +372,8 @@ def _sendToClient(self, fileID, token, fileHelper=None, raw=False): if filePath.startswith("/S3"): with TheImpersonator(credDict, source="SandboxStore") as client: res = client.jobs.get_sandbox_file(pfn=filePath) - r = requests.get(res.url) + verify = os.environ.get("DIRACX_CA_PATH", True) + r = requests.get(res.url, verify=verify) r.raise_for_status() sbData = r.content if fileHelper: From f690a746c45d2474d02ed0fe46d430a00afd0692 Mon Sep 17 00:00:00 2001 From: Andrei Tsaregorodtsev Date: Thu, 13 Nov 2025 14:54:49 +0100 Subject: [PATCH 3/3] fix: take the CA's file path from the DIRACX_CA_PATH environment --- src/DIRAC/FrameworkSystem/Utilities/diracx.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/DIRAC/FrameworkSystem/Utilities/diracx.py b/src/DIRAC/FrameworkSystem/Utilities/diracx.py index 1174fce881f..a722b2b8787 100644 --- a/src/DIRAC/FrameworkSystem/Utilities/diracx.py +++ b/src/DIRAC/FrameworkSystem/Utilities/diracx.py @@ -1,4 +1,5 @@ import requests +import os from cachetools import TTLCache, LRUCache, cached from cachetools.keys import hashkey @@ -27,8 +28,8 @@ DEFAULT_TOKEN_CACHE_SIZE = 1024 legacy_exchange_session = requests.Session() -diracxUrl = gConfig.getValue("/DiracX/URL") -legacy_exchange_session.verify = DiracxPreferences(url=diracxUrl).ca_path or True +# Get CA's location from DIRACX_CA_PATH if defined or from the standard location +legacy_exchange_session.verify = os.environ.get("DIRACX_CA_PATH", True) def get_token(