📖 Add SSL certificate management guide to CLAUDE.md

- Document complete process for handling internal/corporate SSL certificates - Explain CA bundle extraction and configuration methods - Provide environment variable setup for multiple tools - Include best practices for SSL certificate management - Reusable guide for other projects with custom CAs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-31 12:06:16 +07:00
parent 53bee3340f
commit 3aa1d90b89
1 changed files with 73 additions and 1 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -24,4 +24,76 @@ Nomad MCP is a service that enables management of HashiCorp Nomad jobs via REST
 - `/static`: Frontend assets
 - `/tests`: Test files
-Always maintain backward compatibility with existing API endpoints. Follow REST principles.
+Always maintain backward compatibility with existing API endpoints. Follow REST principles.
 ## SSL Certificate Management for Internal Services
 When working with internal/corporate services that use custom Certificate Authorities (CAs):
 ### Problem
 - Internal services use SSL certificates signed by custom/corporate CAs
 - System trust stores don't recognize these CAs
 - Results in `SSL: CERTIFICATE_VERIFY_FAILED` errors
 ### Solution: Extract and Configure CA Bundle
 1. **Extract CA Certificate Chain**:
   ```bash
   # Find the CA issuer from certificate details
   openssl s_client -connect your-service.internal:443 -showcerts
   # Download CA certificate (adjust URL for your PKI)
   curl -k "https://vault.internal:8200/v1/pki/ca" -o certs/ca_bundle.pem
   ```
 2. **Test CA Bundle**:
   ```bash
   # Test with curl
   curl --cacert certs/ca_bundle.pem https://your-service.internal
   # Test with Python
   python -c "import requests; print(requests.get('https://your-service.internal', verify='certs/ca_bundle.pem').status_code)"
   ```
 3. **Create Environment Configuration**:
   ```bash
   # .env.ssl
   export SSL_CERT_FILE="$(pwd)/certs/ca_bundle.pem"
   export REQUESTS_CA_BUNDLE="$(pwd)/certs/ca_bundle.pem"
   export CURL_CA_BUNDLE="$(pwd)/certs/ca_bundle.pem"
   export GIT_SSL_CAINFO="$(pwd)/certs/ca_bundle.pem"
   ```
 4. **Usage**:
   ```bash
   # Load SSL configuration
   source .env.ssl
   # Now all tools use the CA bundle automatically
   curl https://your-service.internal
   git clone https://git.internal/repo.git
   pip install -i https://pypi.internal/simple/ package
   ```
 ### For Different Tools
 - **Curl**: `curl --cacert path/to/ca_bundle.pem`
 - **Python requests**: `requests.get(url, verify='path/to/ca_bundle.pem')`
 - **Git**: `git config http.sslCAInfo path/to/ca_bundle.pem`
 - **Node.js**: `NODE_EXTRA_CA_CERTS=path/to/ca_bundle.pem`
 - **Docker**: Mount certs and set `SSL_CERT_FILE` environment variable
 ### Environment Variables Priority
 1. `SSL_CERT_FILE` - Used by most SSL libraries
 2. `REQUESTS_CA_BUNDLE` - Python requests library
 3. `CURL_CA_BUNDLE` - curl command
 4. Tool-specific variables (e.g., `GIT_SSL_CAINFO`)
 ### Best Practices
 - **Keep CA bundle in version control** (it's public key material)
 - **Test SSL connections** with a script to verify setup
 - **Document certificate renewal process** in project README
 - **Use environment variables** for consistent configuration across tools
 - **Never disable SSL verification** in production code
 This approach provides proper SSL security while working with internal services.