Is there any possibility the Request session for spooling doesn't include the verify cert

[lozbrown]

I've spent most of the day trying to diagnose an issue where when spooling occurs we see
CERTIFICATE_VERIFY_FAILED for users using the sql_engine in downstream code

The cert we pass into the create_engine seems valid, is there any way the requests session that used to pull the spooled segments picks up a different cert?

@wendigo

[wendigo]

@lozbrown no idea, @hashhar do you happen to know?

[hashhar]

If you mean cert param to create_engine that's used to setup CertificateAuthentication. That's not the cert used for HTTP connections. See

trino-python-client/trino/sqlalchemy/dialect.py

Lines 141 to 142 in df08367

	if "cert" in url.query and "key" in url.query:
	kwargs["auth"] = CertificateAuthentication(unquote_plus(url.query['cert']), unquote_plus(url.query['key']))

What you're probably looking for is instead verify or http_session - see

trino-python-client/trino/dbapi.py

Lines 159 to 160 in df08367

	verify=True,
	http_session=None,

(the latter is not exposed via sqlalchemy interface but you can probably monkey patch the http_session on the internal dbapi instance in the client to test).

And no, I can't see anywhere in the code where a different requests session is created - we always reuse the one created initially.

However I think there's a bug here -

trino-python-client/trino/client.py

Lines 489 to 493 in df08367

	if http_session is not None:
	self._http_session = http_session
	else:
	self._http_session = self.http.Session()
	self._http_session.verify = verify

. We don't seem to honor verify if a custom http_session is also passed which seems wrong maybe?

[lozbrown]

I think this was a bug that was fixed in 334 with verify not being passed to the session used for spooling