Merge pull request #364 from jumpstarter-dev/fix-362

Workaround the MacOS system certificate store issue with some SSL certs

Author: NickCao

docs/source/config/cli.md

@@ -134,7 +134,8 @@ be useful in CI or when writing a script that uses Jumpstarter.
 (overrides the config value).
 - `JMP_DRIVERS_ALLOW` - A comma-separated list of allowed driver namespaces
 to automatically load. Can be set to `UNSAFE` to allow unsafe loading of drivers.
-
+- `JUMPSTARTER_FORCE_SYSTEM_CERTS` - Set to `1` to force the system CA certificates,
+  which is the behavior by default for all systems but MacOS (see [bug](https://github.com/jumpstarter-dev/jumpstarter/issues/362))
 ## System Configuration
 
 Jumpstarter stores system configs in the `/etc/jumpstarter` directory.

packages/jumpstarter-cli-common/jumpstarter_cli_common/oidc.py

@@ -1,4 +1,5 @@
 import json
+import os
 from dataclasses import dataclass
 from typing import ClassVar
 
@@ -12,7 +13,13 @@
 from joserfc.jws import extract_compact
 from yarl import URL
 
-truststore.inject_into_ssl()
+# if we are running in MacOS avoid injecting system certificates to avoid
+# https://github.com/jumpstarter-dev/jumpstarter/issues/362
+# also allow to force the system certificates injection with
+# JUMPSTARTER_FORCE_SYSTEM_CERTS=1
+if os.uname().sysname != "Darwin" or os.environ.get("JUMPSTARTER_FORCE_SYSTEM_CERTS") == "1":
+    truststore.inject_into_ssl()
+
 
 opt_client_id = click.option("--client-id", "client_id", type=str, default="jumpstarter-cli", help="OIDC client id")
 opt_connector_id = click.option(