Commit Graph

3 Commits

Author SHA1 Message Date
8fd23f7ea1 refactor(ssl): centralize SSL trust management, remove LLM_SSL_VERIFY
Centralized SSL via one contract: CERTS_PATH=/opt/certs mounted into all containers.

Backend:
  - NEW: backend/src/core/ssl.py — system_ssl_context(), httpx_verify(),
    cert_dir_inventory()
  - LLMClient._get_ssl_verify() → delegates to core.ssl
  - _llm_async_http._get_verify() → delegates to core.ssl
  - Removed LLM_SSL_VERIFY env reading from all runtime code

Docker:
  - NEW: docker/certs.sh — shared cert installer (PEM/DER/cer to .crt conversion,
    update-ca-certificates, hash symlinks, NSS import)
  - NEW: docker/agent.entrypoint.sh — agent entrypoint with cert installation
  - backend.entrypoint.sh → uses certs.sh instead of install_llm_ca_certs
  - Dockerfile.agent → adds ca-certificates, openssl, entrypoint

Compose:
  - Removed LLM_CA_CERT_URLS and LLM_SSL_VERIFY from all compose files
  - Added CERTS_PATH volume mount to agent (dev + enterprise)
  - Added certs volume mount to backend/agent in dev compose

Env examples:
  - Removed LLM_SSL_VERIFY, LLM_CA_CERT_URLS from .env.example,
    .env.enterprise-clean.example, .env.current.example, .env.master.example,
    backend/.env.example
  - Enhanced CERTS_PATH comments with accepted formats

Diagnostics:
  - diag_container.py: removed LLM_* checks, added CERTS_PATH inventory,
    uses core.ssl for context creation

Tests:
  - Updated test_llm_analysis_service, test_llm_async_http,
    test_client_headers to verify centralized ssl context (no env disable)
  - 4/4 SSL tests pass
2026-07-06 21:00:28 +03:00
43e3f4135e fix(scripts): fix --target arg parsing in diag_container.py 2026-07-06 20:37:22 +03:00
bcabe90e13 feat(scripts): add container diagnostic script for SSL cert + encryption health
Checks 6 categories:
  1. Environment — ENCRYPTION_KEY, LLM_SSL_VERIFY, LLM_CA_CERT_URLS
  2. System CA store — ca-certificates.crt, custom/LLM certs, hash symlinks
  3. OpenSSL connectivity — cafile vs capath (per ADR-0009 Finding 7)
  4. Python SSLContext(capath) — what _get_ssl_verify() uses
  5. httpx(capath) — integration test
  6. Encryption key health — decrypt test for all LLM provider api_keys

Usage:
  docker cp scripts/diag_container.py superset-tools-backend-1:/tmp/
  docker compose exec backend python3 /tmp/diag_container.py --target lite.ai.rusal.com:443
2026-07-06 20:27:03 +03:00