Skip to content

Commit dc8a648

Browse files
author
metalmon
committed
docs: add SSL certificate verification configuration documentation
Add comprehensive documentation for SSL certificate verification options: - push_relay_verify_ssl: for push notification relay server - frappe_mail_verify_ssl: for Frappe Mail service Documentation includes: - Configuration examples - Security warnings - Troubleshooting guide - Best practices Also update docstrings in code to reference the documentation.
1 parent c1b1ec4 commit dc8a648

3 files changed

Lines changed: 122 additions & 1 deletion

File tree

frappe/SSL_CONFIG.md

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
# SSL Certificate Verification Configuration
2+
3+
This document describes SSL certificate verification settings available in `site_config.json` for Frappe Framework services that connect to external HTTPS endpoints.
4+
5+
## Overview
6+
7+
By default, Frappe Framework verifies SSL certificates when making HTTPS requests to external services. However, in some deployment scenarios (e.g., behind Traefik with self-signed certificates), you may need to disable SSL certificate verification.
8+
9+
> **⚠️ Security Warning**: Disabling SSL certificate verification reduces security and should only be used in controlled environments with self-signed certificates. Never disable SSL verification in production unless absolutely necessary.
10+
11+
## Configuration Options
12+
13+
### Push Notification Relay SSL Verification
14+
15+
**Option**: `push_relay_verify_ssl`
16+
17+
**Description**: Controls SSL certificate verification when connecting to the push notification relay server.
18+
19+
**Default**: `1` (enabled)
20+
21+
**Values**:
22+
- `1` or `"1"` or `"true"`: Enable SSL certificate verification (default, recommended)
23+
- `0` or `"0"` or `"false"`: Disable SSL certificate verification
24+
25+
**Example** (`site_config.json`):
26+
```json
27+
{
28+
"push_relay_server_url": "https://push.example.com",
29+
"push_relay_verify_ssl": 0
30+
}
31+
```
32+
33+
**Use Case**: Use when the push notification relay server uses self-signed certificates (e.g., behind Traefik reverse proxy).
34+
35+
---
36+
37+
### Frappe Mail Service SSL Verification
38+
39+
**Option**: `frappe_mail_verify_ssl`
40+
41+
**Description**: Controls SSL certificate verification when connecting to the Frappe Mail service API.
42+
43+
**Default**: `1` (enabled)
44+
45+
**Values**:
46+
- `1` or `"1"` or `"true"`: Enable SSL certificate verification (default, recommended)
47+
- `0` or `"0"` or `"false"`: Disable SSL certificate verification
48+
49+
**Example** (`site_config.json`):
50+
```json
51+
{
52+
"frappe_mail_site": "https://mail.example.com",
53+
"frappe_mail_verify_ssl": 0
54+
}
55+
```
56+
57+
**Use Case**: Use when the Frappe Mail service uses self-signed certificates (e.g., self-hosted Frappe Mail instance behind Traefik).
58+
59+
---
60+
61+
## Complete Example
62+
63+
For a deployment behind Traefik with self-signed certificates:
64+
65+
```json
66+
{
67+
"db_name": "your_database",
68+
"db_password": "your_password",
69+
"push_relay_server_url": "https://push.example.com",
70+
"push_relay_verify_ssl": 0,
71+
"frappe_mail_verify_ssl": 0
72+
}
73+
```
74+
75+
## Implementation Details
76+
77+
- Both options use the `sbool()` function to parse configuration values, supporting `1/0`, `"1"/"0"`, and `"true"/"false"` formats
78+
- If the option is not specified, SSL verification is enabled by default (`True`)
79+
- The configuration is read from `site_config.json` using `frappe.conf.get()`
80+
- Changes to `site_config.json` require a Frappe process restart to take effect
81+
82+
## Related Code
83+
84+
- Push Notifications: `frappe/push_notification.py``_send_post_request()` method
85+
- Frappe Mail: `frappe/email/frappemail.py``get_client()` method
86+
87+
## Troubleshooting
88+
89+
### SSL Certificate Verification Errors
90+
91+
If you encounter errors like:
92+
```
93+
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate
94+
```
95+
96+
1. Verify that the external service is using a self-signed certificate
97+
2. Add the appropriate configuration option (`push_relay_verify_ssl` or `frappe_mail_verify_ssl`) to `site_config.json`
98+
3. Set the value to `0` to disable verification
99+
4. Restart the Frappe processes
100+
101+
### Security Best Practices
102+
103+
1. **Use valid SSL certificates**: Whenever possible, use properly signed SSL certificates from a trusted Certificate Authority (CA)
104+
2. **Limit scope**: Only disable SSL verification for specific services that require it
105+
3. **Document changes**: Document why SSL verification was disabled in your deployment
106+
4. **Monitor**: Regularly review and audit configurations that disable SSL verification
107+
5. **Consider alternatives**: For self-signed certificates, consider adding the CA certificate to the system's trust store instead of disabling verification
108+

frappe/email/frappemail.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,13 @@ def get_client(
3939
api_secret: str | None = None,
4040
access_token: str | None = None,
4141
) -> FrappeClient | FrappeOAuth2Client:
42-
"""Returns a FrappeClient or FrappeOAuth2Client instance."""
42+
"""Returns a FrappeClient or FrappeOAuth2Client instance.
43+
44+
SSL Verification:
45+
SSL certificate verification can be controlled via `frappe_mail_verify_ssl` in site_config.json.
46+
Set to 0 to disable verification for self-signed certificates.
47+
See frappe/SSL_CONFIG.md for more details.
48+
"""
4349

4450
if hasattr(frappe.local, "frappe_mail_clients"):
4551
if client := frappe.local.frappe_mail_clients.get(email):
@@ -49,6 +55,7 @@ def get_client(
4955

5056
# Get SSL verification setting from config, default to True
5157
# Set to 0 in site_config.json to disable SSL verification for self-signed certificates
58+
# See frappe/SSL_CONFIG.md for documentation
5259
verify_ssl_config = frappe.conf.get("frappe_mail_verify_ssl")
5360
if verify_ssl_config is not None:
5461
verify_ssl = sbool(verify_ssl_config)

frappe/push_notification.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,11 @@ def _send_post_request(self, method: str, params: dict, use_authentication: bool
235235
:param params: (dict) The parameters to be sent with the request.
236236
:param use_authentication: (bool) Whether to use authentication or not.
237237
:return: (dict) Response data of the request.
238+
239+
SSL Verification:
240+
SSL certificate verification can be controlled via `push_relay_verify_ssl` in site_config.json.
241+
Set to 0 to disable verification for self-signed certificates.
242+
See frappe/SSL_CONFIG.md for more details.
238243
"""
239244

240245
if not self.is_enabled():
@@ -243,6 +248,7 @@ def _send_post_request(self, method: str, params: dict, use_authentication: bool
243248
relay_server_endpoint = frappe.conf.get("push_relay_server_url")
244249
# Get SSL verification setting from config, default to True
245250
# Set to 0 in site_config.json to disable SSL verification for self-signed certificates
251+
# See frappe/SSL_CONFIG.md for documentation
246252
verify_ssl_config = frappe.conf.get("push_relay_verify_ssl")
247253
if verify_ssl_config is not None:
248254
verify_ssl = sbool(verify_ssl_config)

0 commit comments

Comments
 (0)