docs: how to override the trusted CA certificates (#9357)merge-master

* docs: how to override the trusted CA certificates

* Update certbot/docs/using.rst

Co-authored-by: ohemorange <ebportnoy@gmail.com>

Co-authored-by: ohemorange <ebportnoy@gmail.com>

2 files changed, 11 insertions, 1 deletions

diff --git a/certbot/certbot/configuration.py b/certbot/certbot/configuration.py
index d5ad87599..dd40a096f 100644
--- a/certbot/certbot/configuration.py
+++ b/certbot/certbot/configuration.py
@@ -170,7 +170,11 @@ class NamespaceConfig:
 
     @property
     def no_verify_ssl(self) -> bool:
-        """Disable verification of the ACME server's certificate."""
+        """Disable verification of the ACME server's certificate.
+
+        The root certificates trusted by Certbot can be overriden by setting the
+        REQUESTS_CA_BUNDLE environment variable.
+        """
         return self.namespace.no_verify_ssl
 
     @property
diff --git a/certbot/docs/using.rst b/certbot/docs/using.rst
index 0038d1f83..c4f55bc02 100644
--- a/certbot/docs/using.rst
+++ b/certbot/docs/using.rst
@@ -1078,6 +1078,12 @@ ACME directory. For example, if you would like to use Let's Encrypt's
 staging server, you would add ``--server
 https://acme-staging-v02.api.letsencrypt.org/directory`` to the command line.
 
+If Certbot does not trust the SSL certificate used by the ACME server, you
+can use the `REQUESTS_CA_BUNDLE
+<https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification>`_
+environment variable to override the root certificates trusted by Certbot. Certbot
+uses the ``requests`` library, which does not use the operating system trusted root store.
+
 If you use ``--server`` to specify an ACME CA that implements the standardized
 version of the spec, you may be able to obtain a certificate for a
 wildcard domain. Some CAs (such as Let's Encrypt) require that domain