[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

[canob]

Hi!

Is right now a solution to handle connections to services with SSL self signed certificates, when you create a connector with the airbyte-connector-builder-server?

This is really a big stopper for many internal projects and for use Airbyte as "the" ETL solution right now, because deal with SSL self signed certificates services with on-premise OSS Airbyte deploys is really common, :(

I tried many proposed solutions on Airbyte Slack Channel (for example, add the CA Certificate of my service to airbyte-connector-builder-server pod), but no one worked.

Any piece of advice?

Thanks in advance for your help.

[avinashmohanraju]

Yes, I’ve faced the same issue with self-signed certificates when using Airbyte connector builder. What finally worked for me was setting up a Kubernetes admission webhook that injects the custom CA into Airbyte job pods using environment variables and a ConfigMap.

The webhook mounts a custom-ca ConfigMap into all Airbyte namespace pods and adds these environment variables:

• REQUESTS_CA_BUNDLE
• SSL_CERT_FILE
• CURL_CA_BUNDLE

With this setup, Python requests, OpenSSL, and curl in the job pods can trust internal self-signed certificates. Non-Python/curl pods are unaffected; they just see a harmless read-only volume and extra environment variables.

I first tested it on a manual pod to confirm connectivity, and then it worked seamlessly for dynamic Airbyte job pods as well. The key is that the webhook should mutate all Airbyte namespace pods except Kubernetes system pods, so the CA is always injected automatically without modifying base images or adding init containers.

Hope it helps :-)

[canob]

Hi @avinashmohanraju ,

Thanks for your answer. Even that your solution sounds valid, what is really not understandable to my, is why the developers of Airbyte didn´t add a simple check box that allow the connectors built with the Airbyte Connector Builder to allow self signed certificates in an easy way...

I'm going to try your solution with Kubernetes Admission Webhook, but maybe it is out of my technical skills with Kubernetes right now.

Thanks again.