Add support for self-signed ssl certs on selfhosted Gitlab instances

Hey guys,

I'm just playing around with Meltano and our self-hosted internal Gitlab instance and I am getting errors like this:

meltano-ui_1  | INFO Starting sync
meltano-ui_1  | INFO Skipping stream: merge_request_commits
meltano-ui_1  | INFO Skipping stream: epics
meltano-ui_1  | INFO Skipping stream: epic_issues
meltano-ui_1  | INFO Skipping stream: pipelines_extended
meltano-ui_1  | INFO GET https://internal.git.lan/api/v4/groups/supergroup
meltano-ui_1  | INFO Backing off request(...) for 1.6s (requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)))
meltano-ui_1  | INFO GET https://internal.git.lan/api/v4/groups/supergroup
meltano-ui_1  | INFO Backing off request(...) for 1.1s (requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)))
meltano-ui_1  | INFO GET https://internal.git.lan/api/v4/groups/supergroup
meltano-ui_1  | INFO Backing off request(...) for 5.6s (requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)))
meltano-ui_1  | INFO GET https://internal.git.lan/api/v4/groups/supergroup
meltano-ui_1  | INFO Backing off request(...) for 15.2s (requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)))
meltano-ui_1  | INFO GET https://internal.git.lan/api/v4/groups/supergroup
meltano-ui_1  | ERROR Giving up request(...) after 5 tries (requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)))
meltano-ui_1  | CRITICAL HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
meltano-ui_1  | Traceback (most recent call last):
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
meltano-ui_1  |     chunked=chunked)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
meltano-ui_1  |     self._validate_conn(conn)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
meltano-ui_1  |     conn.connect()
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/connection.py", line 344, in connect
meltano-ui_1  |     ssl_context=context)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 345, in ssl_wrap_socket
meltano-ui_1  |     return context.wrap_socket(sock, server_hostname=server_hostname)
meltano-ui_1  |   File "/usr/local/lib/python3.6/ssl.py", line 407, in wrap_socket
meltano-ui_1  |     _context=self, _session=session)
meltano-ui_1  |   File "/usr/local/lib/python3.6/ssl.py", line 817, in __init__
meltano-ui_1  |     self.do_handshake()
meltano-ui_1  |   File "/usr/local/lib/python3.6/ssl.py", line 1077, in do_handshake
meltano-ui_1  |     self._sslobj.do_handshake()
meltano-ui_1  |   File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
meltano-ui_1  |     self._sslobj.do_handshake()
meltano-ui_1  | ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
meltano-ui_1  | 
meltano-ui_1  | During handling of the above exception, another exception occurred:
meltano-ui_1  | 
meltano-ui_1  | Traceback (most recent call last):
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
meltano-ui_1  |     timeout=timeout
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
meltano-ui_1  |     _stacktrace=sys.exc_info()[2])
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
meltano-ui_1  |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
meltano-ui_1  | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
meltano-ui_1  | 
meltano-ui_1  | During handling of the above exception, another exception occurred:
meltano-ui_1  | 
meltano-ui_1  | Traceback (most recent call last):
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/bin/tap-gitlab", line 8, in <module>
meltano-ui_1  |     sys.exit(main())
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 860, in main
meltano-ui_1  |     raise exc
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 857, in main
meltano-ui_1  |     main_impl()
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 852, in main_impl
meltano-ui_1  |     do_sync()
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 807, in do_sync
meltano-ui_1  |     sync_group(gid, pids)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 605, in sync_group
meltano-ui_1  |     data = request(url).json()
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/backoff/_sync.py", line 94, in retry
meltano-ui_1  |     ret = target(*args, **kwargs)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py", line 229, in request
meltano-ui_1  |     resp = SESSION.send(req)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/requests/sessions.py", line 637, in send
meltano-ui_1  |     r = adapter.send(request, **kwargs)
meltano-ui_1  |   File "/project/.meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
meltano-ui_1  |     raise SSLError(e, request=request)
meltano-ui_1  | requests.exceptions.SSLError: HTTPSConnectionPool(host='internal.git.lan', port=443): Max retries exceeded with url: /api/v4/groups/supergroup (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

I think this is a pretty standard one, but I don't find a clean way to fix this. What works is to install our cert in the docker container with:

RUN apt-get update && apt-get install -y ca-certificates
RUN update-ca-certificates --fresh

ENV TAP_GITLAB_API_URL https://internal.git.lan

And than add a line in .meltano/extractors/tap-gitlab/venv/lib/python3.6/site-packages/tap_gitlab/__init__.py (here):

LOGGER = singer.get_logger()
SESSION = requests.Session()
# This works
SESSION.verify = "/etc/ssl/certs/ca-certificates.crt"

... I guess SESSION.verify = False would also work.

I am not really a python guy, but from what I read setting the envars REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt or CURL_CA_BUNDLE=/usr/local/share/ca-certificates/ca.crt should also work, but they do not.

Is the a clean way to do this without modifying code inside the .meltano folder?

regards and thanks!