@@ -259,6 +259,7 @@ def _setup_proxy_certificates(self):
259259
260260 Detects HTTPS_CA_CERTIFICATES environment variable and combines
261261 proxy certificates with system certificates for SSL verification.
262+ Supports both inline certificate content and file paths.
262263 """
263264 https_ca_certificates = os .getenv ("HTTPS_CA_CERTIFICATES" )
264265 if not https_ca_certificates :
@@ -268,10 +269,25 @@ def _setup_proxy_certificates(self):
268269 # Create secure temporary directory
269270 cert_dir = tempfile .mkdtemp (prefix = "opencti_proxy_certs_" )
270271
272+ # Determine if HTTPS_CA_CERTIFICATES contains inline content or file path
273+ cert_content = self ._get_certificate_content (https_ca_certificates )
274+ if not cert_content :
275+ self .app_logger .warning (
276+ "Invalid HTTPS_CA_CERTIFICATES: not a valid certificate or file path" ,
277+ {
278+ "value" : (
279+ https_ca_certificates [:50 ] + "..."
280+ if len (https_ca_certificates ) > 50
281+ else https_ca_certificates
282+ )
283+ },
284+ )
285+ return
286+
271287 # Write proxy certificate to temp file
272288 proxy_cert_file = os .path .join (cert_dir , "proxy-ca.crt" )
273289 with open (proxy_cert_file , "w" ) as f :
274- f .write (https_ca_certificates )
290+ f .write (cert_content )
275291
276292 # Find system certificates
277293 system_cert_paths = [
@@ -292,7 +308,7 @@ def _setup_proxy_certificates(self):
292308 break
293309
294310 # Add proxy certificate
295- combined .write (https_ca_certificates )
311+ combined .write (cert_content )
296312
297313 # Update ssl_verify to use combined certificate bundle
298314 self .ssl_verify = combined_cert_file
@@ -311,6 +327,52 @@ def _setup_proxy_certificates(self):
311327 "Failed to setup proxy certificates" , {"error" : str (e )}
312328 )
313329
330+ def _get_certificate_content (self , https_ca_certificates ):
331+ """Extract certificate content from environment variable.
332+
333+ Supports both inline certificate content (PEM format) and file paths.
334+
335+ :param https_ca_certificates: Content from HTTPS_CA_CERTIFICATES env var
336+ :type https_ca_certificates: str
337+ :return: Certificate content in PEM format or None if invalid
338+ :rtype: str or None
339+ """
340+ # Check if it's inline certificate content (starts with PEM header)
341+ if https_ca_certificates .strip ().startswith ("-----BEGIN CERTIFICATE-----" ):
342+ self .app_logger .debug (
343+ "HTTPS_CA_CERTIFICATES contains inline certificate content"
344+ )
345+ return https_ca_certificates
346+
347+ # Check if it's a file path
348+ if os .path .isfile (https_ca_certificates .strip ()):
349+ cert_file_path = https_ca_certificates .strip ()
350+ try :
351+ with open (cert_file_path , "r" ) as f :
352+ cert_content = f .read ()
353+ # Validate it's actually a certificate
354+ if "-----BEGIN CERTIFICATE-----" in cert_content :
355+ self .app_logger .debug (
356+ "HTTPS_CA_CERTIFICATES contains valid certificate file path" ,
357+ {"file_path" : cert_file_path },
358+ )
359+ return cert_content
360+ else :
361+ self .app_logger .warning (
362+ "File at HTTPS_CA_CERTIFICATES path does not contain valid certificate" ,
363+ {"file_path" : cert_file_path },
364+ )
365+ return None
366+ except Exception as e :
367+ self .app_logger .warning (
368+ "Failed to read certificate file" ,
369+ {"file_path" : cert_file_path , "error" : str (e )},
370+ )
371+ return None
372+
373+ # Neither inline content nor valid file path
374+ return None
375+
314376 def set_applicant_id_header (self , applicant_id ):
315377 self .request_headers ["opencti-applicant-id" ] = applicant_id
316378
0 commit comments