Gitlab integration SSL problem

I’m trying to connect from Docker based Sentry to our on-premise Gitlab and SSL handshake doesn’t pass. I have added our CA certificate to Sentry container manually and curl/openssl to our Gitlab is working without warnings, but for some reason Python doesn’t found correct CA:

Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/sentry_plugins/gitlab/plugin.py”, line 207, in validate_config
client.get_project(repo)
File “/usr/local/lib/python2.7/site-packages/sentry_plugins/gitlab/client.py”, line 37, in get_project
return self.request(‘GET’, ‘/projects/{}’.format(quote(repo, safe=’’)))
File “/usr/local/lib/python2.7/site-packages/sentry_plugins/gitlab/client.py”, line 26, in request
allow_redirects=False,
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 501, in get
return self.request(‘GET’, url, **kwargs)
File “/usr/local/lib/python2.7/site-packages/sentry/http.py”, line 154, in request
response = requests.Session.request(self, *args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 488, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/raven/breadcrumbs.py”, line 297, in send
resp = real_send(self, request, *args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 609, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/sentry/http.py”, line 146, in send
return super(BlacklistAdapter, self).send(request, *args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 497, in send
raise SSLError(e, request=request)
SSLError: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)
10:36:17 [ERROR] sentry.plugins.gitlab: (“bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)”,)

How can I tell to Sentry where the CA is located or turn of certificate verifying?

You should be able to set the environment variable REQUESTS_CA_BUNDLE and point it to your own bundle. I have not tried this personally, just reading documentation for the library that we use: Advanced Usage — Requests 2.31.0 documentation

This list of trusted CAs can also be specified through the REQUESTS_CA_BUNDLE environment variable.

Thanks for fast and correct answer, I got it working!