Hi Bao,
sorry for the delayed response. I now found time to take a look at the certificate handling. There are a few things you need to consider:
1. The provided "cert-chain" in the certsips.json file is a base64 encoded string which is a common way to provide certificates in config files. However to use them for SSL verification it needs to be decoded.
You can use the python base64 libary to do so:
# Decode the base64 certificate chain
cert_chain_base64 = data["cert-chain"]
cert_chain_bytes = base64.b64decode(cert_chain_base64)
cert_chain = cert_chain_bytes.decode('utf-8') # Convert to string
After this you should have a cert chain that consists of 3 certifcates, looking like this:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIULkHBA6hievOxz9SEWGb922AlMo8wDQYJKoZIhvcNAQEL
...
p26kVxziN/bEVdPkF8EfcI6EVjSaGEDMc4ZdQ342TVVj1W5e4uGcgO1s+dtKU2nu
Pw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIULkHBA6hievOxz9SEWGb922AlMo8wDQYJKoZIhvcNAQEL
...
p26kVxziN/bEVdPkF8EfcI6EVjSaGEDMc4ZdQ342TVVj1W5e4uGcgO1s+dtKU2nu
Pw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIULkHBA6hievOxz9SEWGb922AlMo8wDQYJKoZIhvcNAQEL
...
p26kVxziN/bEVdPkF8EfcI6EVjSaGEDMc4ZdQ342TVVj1W5e4uGcgO1s+dtKU2nu
Pw==
-----END CERTIFICATE-----
2. The cert parameter of the request function is not used to provide a cert chain, but a client certificate. In this case you don't need to set it.
3. The verify parameter can be set to either a boolean, in which case it controls whether we verify the server's TLS certificate, or a string, in which case it must be a path to a CA bundle to use.
In our case we want to use the second option and set it to "verify=cert_chain"
I hope this solves your issues. Let me know if you have further questions.
Best
Johannes