Chargebee Python Client should not bundle its own certificates

[vanschelven]

Description of the Bug

As per

chargebee-python/chargebee/main.py

Line 14 in d70fc00

ca_cert_path = os.path.join(os.path.dirname(__file__), "ssl", "ca-certs.crt")

the Chargebee Python Client bundles its own certificates.

In my not-so-humble opinion this violates the expectation of least surprise: on correctly configured systems the certificate bundles are present and reachable by python code. By pushing this stuff into a specific package you tie the ability of the system to make connections to the outside world to a specific version of chargebee and you tie the upgrade-cycle of your codebase (e.g. with pinned packages) to certificate validity.

There is a reason all the other request-making packages in the python ecosystem don't do this.

Now, I understand why this choice was made (it allows you to package something that "just works") but given that it's the WrongChoice(TM) you should at least create a point of configuration such that one can point the chargebee client either to the system certificate bundles, or just tell it to do whatever the underlying library (e.g. requests) would normally do.

Additional context

#60 is a direct consequence of this problem (and the suggested solution of "just upgrade") proves this

[vanschelven]

It also means that:

• if the chargebee bundle contains a root cert that is later to be found to be untrustworthy chargebee now has a security problem and requires an update
• if you're in a corporate environment where they want to MITM your certs as per corporate policy you're out of luck because you can't configure your corporate MITM thingie properly