Fix API URL handling and SSL certificate verification

- Auto-append /api to base URL if not already present, so users can enter just the hostname (e.g. https://silo.kindred.internal) - Load system CA certificate bundle in SSL context so the bundled Python trusts internal CAs (FreeIPA) without disabling verification - Update settings dialog placeholder and hint text to clarify expected URL format
2026-01-29 22:26:26 -06:00
parent bdccb8923d
commit 383e750a6d
1 changed files with 26 additions and 7 deletions
--- a/pkg/freecad/silo_commands.py
+++ b/pkg/freecad/silo_commands.py
@@ -26,9 +26,13 @@ def _get_api_url() -> str:
    """Get Silo API URL from preferences, falling back to env var then default."""
    param = FreeCAD.ParamGet(_PREF_GROUP)
    url = param.GetString("ApiUrl", "")
-    if url:
-        return url
-    return os.environ.get("SILO_API_URL", "http://localhost:8080/api")
+    if not url:
+        url = os.environ.get("SILO_API_URL", "http://localhost:8080/api")
+    url = url.rstrip("/")
+    # Auto-append /api if the user provided just the base hostname
+    if url and not url.endswith("/api"):
+        url = url + "/api"
+    return url


 def _get_ssl_verify() -> bool:
@@ -40,7 +44,21 @@ def _get_ssl_verify() -> bool:
 def _get_ssl_context() -> ssl.SSLContext:
    """Build an SSL context based on the current SSL verification preference."""
    if _get_ssl_verify():
-        return ssl.create_default_context()
+        ctx = ssl.create_default_context()
+        # The bundled Python may not find the system CA store automatically
+        # (its compiled-in path points to the build environment). Load the
+        # system CA bundle explicitly so internal CAs (e.g. FreeIPA) are trusted.
+        for ca_path in (
+            "/etc/ssl/certs/ca-certificates.crt",  # Debian / Ubuntu
+            "/etc/pki/tls/certs/ca-bundle.crt",  # RHEL / CentOS
+        ):
+            if os.path.isfile(ca_path):
+                try:
+                    ctx.load_verify_locations(ca_path)
+                except Exception:
+                    pass
+                break
+        return ctx
    else:
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
@@ -1834,7 +1852,7 @@ class Silo_Settings:
        layout.addWidget(url_label)

        url_input = QtGui.QLineEdit()
-        url_input.setPlaceholderText("http://localhost:8080/api")
+        url_input.setPlaceholderText("https://silo.kindred.internal")
        current_url = param.GetString("ApiUrl", "")
        if current_url:
            url_input.setText(current_url)
@@ -1845,8 +1863,9 @@ class Silo_Settings:
        layout.addWidget(url_input)

        url_hint = QtGui.QLabel(
-            "Leave empty to use SILO_API_URL environment variable "
-            "or default (http://localhost:8080/api)"
+            "Enter the server hostname (e.g. https://silo.kindred.internal). "
+            "The /api path is appended automatically. "
+            "Leave empty to use SILO_API_URL environment variable."
        )
        url_hint.setWordWrap(True)
        url_hint.setStyleSheet("color: #888; font-size: 11px;")