feat: add SSL_CA_FILE and SSL_VERIFY environment variables to support… (#894)

* feat: add SSL_CA_FILE and SSL_VERIFY environment variables to support self-signed certificates in self-hosted environments * fix: NoMethodError by defining SSL helper methods before configure block executes * refactor: Refactor SessionsController to use shared SslConfigurable module and simplify SSL initializer redundant checks * refactor: improve SSL configuration robustness and error detection accuracy * fix:HTTParty SSL options, add file validation guards, prevent Tempfile GC, and redact URLs in error logs * fix: Fix SSL concern indentation and stub Simplefin POST correctly in tests * fix: normalize ssl_verify to always return boolean instead of nil * fix: solve failing SimpleFin test * refactor: trim unused error-handling code from SslConfigurable, replace Tempfile with fixed-path CA bundle, fix namespace pollution in initializers, and add unit tests for core SSL configuration and Langfuse CRL callback. * fix: added require ileutils in the initializer and require ostruct in the test file. * fix: solve autoload conflict that broke provider loading, validate all certs in PEM bundles, and add missing requires.
2026-04-07 06:21:23 +00:00 · 2026-02-06 14:04:03 -03:00
parent 87117445fe
commit ba6e286b41
20 changed files with 824 additions and 42 deletions
--- a/.env.local.example
+++ b/.env.local.example
@@ -48,3 +48,36 @@ LANGFUSE_HOST = https://cloud.langfuse.com

 # Set to `true` to get error messages rendered in the /chats UI
 AI_DEBUG_MODE =
+
+# =============================================================================
+# SSL/TLS Configuration for Self-Signed Certificates
+# =============================================================================
+# Use these settings when connecting to services with self-signed or internal
+# CA certificates (e.g., self-hosted Keycloak, Authentik, or AI endpoints).
+#
+# SSL_CA_FILE: Path to custom CA certificate file (PEM format)
+#   - The certificate that signed your server's SSL certificate
+#   - Must be readable by the application
+#   - Will be validated at startup
+# SSL_CA_FILE = /certs/my-ca.crt
+#
+# SSL_VERIFY: Enable/disable SSL certificate verification
+#   - Default: true (verification enabled)
+#   - Set to "false" ONLY for development/testing
+#   - WARNING: Disabling removes protection against man-in-the-middle attacks
+# SSL_VERIFY = true
+#
+# SSL_DEBUG: Enable verbose SSL logging for troubleshooting
+#   - Default: false
+#   - When enabled, logs detailed SSL connection information
+#   - Useful for diagnosing certificate issues
+# SSL_DEBUG = false
+#
+# Example docker-compose.yml configuration:
+#   services:
+#     app:
+#       environment:
+#         SSL_CA_FILE: /certs/my-ca.crt
+#         SSL_DEBUG: "true"
+#       volumes:
+#         - ./my-ca.crt:/certs/my-ca.crt:ro