SSL certificates renewed very frequently

[prashansa]

@osanseviero thank you for looking into this issue.

Simply put, we built an API that receives questions or documents from a user through a web application in the front, and on the back end downloads ML models from huggingface.co in order to answer those questions or documents and encode new documents for search.

In order to connect to huggingface.co to download models, we require an SSL certificate. Without the cert, the following error comes up

The current fix requires that I download the certificate chain manually through my browser as follows

Note the hugging face SSL certificate expires very soon!

To install the certificate, I copy it over to my container in my Dockerfile and add the following lines of code to the application:

import requests
import certifi

try:
    print('Checking connection to Huggingface...')
    test = requests.get('https://huggingface.co')
    print('Connection to Huggingface OK.')
except requests.exceptions.SSLError as err:
    print('SSL Error. Adding custom certs to Certifi store...')
    cafile = certifi.where()
    with open('huggingface-co-chain.pem', 'rb') as infile:
        customca = infile.read()
    with open(cafile, 'ab') as outfile:
        outfile.write(customca)
    print('That might have worked.')

The main problem with this fix is that the certificate I download is only valid for a short period of time (one or two weeks).
-Ideally, we should be able to do this on the command line as part of the container build, but so far efforts to do so have not worked.
-The following command yields a chain of three certificates, while the ones downloaded from the browser have a chain of 4.

openssl s_client -showcerts -verify 5 -connect huggingface.co:443 < /dev/null

-The missing certificate appears to be the zScaler root CA, which shows up in the browser but not the command line.

[osanseviero]

I think @SBrandeis might be able to help

[XciD]

Hello @prashansa, it seems like the zScaler root CA is a corporate SSL proxy certificate.
Amazon issues our certificate; you can check here: https://www.ssllabs.com/ssltest/analyze.html?d=huggingface.co&s=174.129.240.49&latest

You need to check with your company administrator to automate the zScaler root CA download.

[prashansa]

Amazon issues our certificate; you can check here: https://www.ssllabs.com/ssltest/analyze.html?d=huggingface.co&s=174.129.240.49&latest

I don't understand why the above amazon certificate has a longer validity, while the one in the screenshot I put shows a smaller time period of validity. Is zscaler shortening the validity?

You need to check with your company administrator to automate the zScaler root CA download.

Yes, this I will. Thanks!

[XciD]

I don't understand why the above amazon certificate has a longer validity, while the one in the screenshot I put shows a smaller time period of validity. Is zscaler shortening the validity?

Yes, seems like they shorten the validity.

[prashansa]

Yes, seems like they shorten the validity.

Ok! Thank you for clarifying this :)