Respect the Qgis SSL configuration on trusted certificates and trusted root CA configured in settings#870
Open
lleirborras wants to merge 4 commits intoMerginMaps:masterfrom
Open
Conversation
Contributor
|
Hi @lleirborras thanks for PR, we will take a look at this. |
wonder-sk
reviewed
Feb 23, 2026
Contributor
wonder-sk
left a comment
wonder-sk
left a comment
There was a problem hiding this comment.
Thanks for your contribution!
Nice idea to use QGIS trusted CA certs - I thought QGIS API provided only the custom ones added by the user, but it actually returns all of them, so we don't need to deal with truststore module...
wonder-sk
reviewed
Feb 23, 2026
trusted root CA configured in settings
- Decode QByteArray returned by trustedCaCertsPemText() to str before writing - Always replace the QGIS CA section in cert.pem instead of append-only, so stale certs from previous sessions are refreshed - Call setup_qgis_ssl_for_mergin_client() in initGui() where the auth manager is guaranteed to be ready, and also before each MerginClient creation in validate_mergin_url() and mergin_server_deprecated_version()
….pem Replace the macOS-specific cert.pem file patching with a call to mergin.client.set_trusted_certificates(cafile), a new API to be added to python-api-client. The mergin client module stores the extra CA file path and loads it alongside its default bundle (system CAs on Linux/Windows, bundled cert.pem on macOS) whenever a MerginClient is instantiated. This avoids mutating files inside the installed plugin directory and ensures CAs are always up to date (the PEM file is rewritten on every call). A hasattr guard keeps the code compatible with older py-client versions that don't have the new function yet. Remove the sys import that was only needed for the platform check.
- Remove the module-level setup_qgis_ssl_for_mergin_client() call; the auth manager is not guaranteed to be ready at import time - In initGui(), replace bare except Exception: pass with a logged warning so SSL setup failures are visible in the QGIS message log
lleirborras
force-pushed
the
fix/custom-ssl-ca
branch
from
36c9e3b to
691f8ec
Compare
Author
|
Ciao @wonder-sk I've went ahead, reimplemented the solution and also rebased the changes on the updated master. Let me know |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Also, fixes #820