webhooks: allow overwriting certificate bundle used to verify requests #2874

New Issue

Closed

opened 2025-12-29 18:22:58 +01:00 by adam · 3 comments

adam commented 2025-12-29 18:22:58 +01:00

Owner

Copy Link

Originally created by @uedvt359 on GitHub (Sep 13, 2019).

Environment

• Python version: 3.6.8
• NetBox version: v2.6.3

Proposed Functionality

Requests, which is used to call webhooks, vendors its own CA bundle. This is a problem in our environment, where we sign our certs with our own internal CA. You can override the used CA bundle by setting session.verify to a path (instead of True).

We propose adding a configuration option to set the path to the CA bundle used to verify TLS certificates. We have implemented the changes already in this branch (direct link to commit), and will open a PR once this enhancement gets accepted.

Use Case

We sign our internal certificates with our own (internal; non-default) CA. Adding such a configuration flag would allow us to turn on certificate verification for webhooks.

Database Changes

none.

External Dependencies

none.

Originally created by @uedvt359 on GitHub (Sep 13, 2019). ### Environment * Python version: 3.6.8 * NetBox version: v2.6.3 <!-- Describe in detail the new functionality you are proposing. Include any specific changes to work flows, data models, or the user interface. --> ### Proposed Functionality Requests, which is used to call webhooks, vendors its own CA bundle. This is a problem in our environment, where we sign our certs with our own internal CA. You can override the used CA bundle by setting session.verify to a path (instead of True). We propose adding a configuration option to set the path to the CA bundle used to verify TLS certificates. We have implemented the [changes already in this branch](https://github.com/dvtirol/netbox/tree/pr-cabundle) ([direct link to commit](https://github.com/dvtirol/netbox/commit/88c6a8be0150ac62e47bc9667f4dde41fe333353)), and will open a PR once this enhancement gets accepted. <!-- Convey an example use case for your proposed feature. Write from the perspective of a NetBox user who would benefit from the proposed functionality and describe how. ---> ### Use Case We sign our internal certificates with our own (internal; non-default) CA. Adding such a configuration flag would allow us to turn on certificate verification for webhooks. <!-- Note any changes to the database schema necessary to support the new feature. For example, does the proposal require adding a new model or field? (Not all new features require database changes.) ---> ### Database Changes none. <!-- List any new dependencies on external libraries or services that this new feature would introduce. For example, does the proposal require the installation of a new Python package? (Not all new features introduce new dependencies.) --> ### External Dependencies none.

adam added the status: acceptedtype: feature labels 2025-12-29 18:22:58 +01:00

adam closed this issue 2025-12-29 18:22:58 +01:00

adam commented 2025-12-29 18:22:59 +01:00

Author

Owner

Copy Link

@tyler-8 commented on GitHub (Sep 27, 2019):

requests is actually using the certifi package for CA information. The better solution, rather than modifying netbox IMO, is to follow the outline here: https://incognitjoe.github.io/adding-certs-to-requests.html and append your internal CAs to the certifi bundle.

@tyler-8 commented on GitHub (Sep 27, 2019): `requests` is actually using the `certifi` package for CA information. The better solution, rather than modifying `netbox` IMO, is to follow the outline here: https://incognitjoe.github.io/adding-certs-to-requests.html and append your internal CAs to the `certifi` bundle.

adam commented 2025-12-29 18:22:59 +01:00

Author

Owner

Copy Link

@uedvt359 commented on GitHub (Sep 30, 2019):

Thanks for your reply.

We'd rather not modify certifi, for two reasons:

1. This will become reverted with every update to the library, increasing maintenance costs and (if someone forgets to monkey-patch it back in) breakage of the webhooks.
2. We use the same virtual environment for multiple programs on multiple hosts. We need to be able to verify certs signed by public CAs in some applications, and only certs signed by us in others (including Netbox).
3. To me, and this is purely subjectively, modifying certifi is the wrong layer to handle this. Requests supports supplying a custom CAbundle, only Netbox doesn't expose that functionality.

While not relevant for us directly, some distributions patch certifi to use the system CA bundle. With such a setup, using a custom CA just for validating webhooks becomes impossible without clobbering certs for the whole system.

For all these reasons I still believe that such a configuration option is useful to have in Netbox.

@uedvt359 commented on GitHub (Sep 30, 2019): Thanks for your reply. We'd rather not modify certifi, for two reasons: 1. This will become reverted with every update to the library, increasing maintenance costs and (if someone forgets to monkey-patch it back in) breakage of the webhooks. 2. We use the same virtual environment for multiple programs on multiple hosts. We need to be able to verify certs signed by public CAs in some applications, and only certs signed by us in others (including Netbox). 3. To me, and this is purely subjectively, modifying certifi is the wrong layer to handle this. Requests supports supplying a custom CAbundle, only Netbox doesn't expose that functionality. While not relevant for us directly, [some distributions](https://src.fedoraproject.org/rpms/python-certifi/blob/master/f/certifi-2018.10.15-use-system-cert.patch) patch certifi to use the system CA bundle. With such a setup, using a custom CA just for validating webhooks becomes impossible without clobbering certs for the whole system. For all these reasons I still believe that such a configuration option is useful to have in Netbox.

adam commented 2025-12-29 18:22:59 +01:00

Author

Owner

Copy Link

@lampwins commented on GitHub (Oct 13, 2019):

IMO @uedvt359 is correct here. The certifi method makes more sense if you control the flow end to end. Adding a CA file path field to the Webhook model on the other hand is more explicit and would be less error-prone for users.

@lampwins commented on GitHub (Oct 13, 2019): IMO @uedvt359 is correct here. The certifi method makes more sense if you control the flow end to end. Adding a CA file path field to the Webhook model on the other hand is more explicit and would be less error-prone for users.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: accepted type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#2874