Comprehensive SSL/TLS fix: Use Python certifi for MongoDB certificate verification

Changes:
1. Dockerfile: Switch from python:3.11-slim to python:3.11-bullseye for fuller SSL support
2. Dockerfile: Run update-ca-certificates --fresh to ensure cert store is initialized
3. Dockerfile: Set SSL_CERT_FILE, SSL_CERT_DIR, REQUESTS_CA_BUNDLE env vars
4. database_mongo.py: Import certifi and ssl modules
5. database_mongo.py: Use certifi.where() to get proper CA cert bundle
6. database_mongo.py: Pass tlsCAFile parameter to MongoClient for explicit cert verification
7. requirements.txt: Add certifi>=2023.0.0 dependency

This approach uses Python's certifi package (standard for SSL) instead of relying
on system certs alone, which provides better cross-platform compatibility.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Dockerfile

@@ -1,19 +1,27 @@
 # Dockerfile for Hugging Face Spaces - DhammaAI
-FROM python:3.11-slim
+# Use full Debian base instead of slim for better SSL support
+FROM python:3.11-bullseye
 
 # Set working directory
 WORKDIR /app
 
-# Install system dependencies including SSL certificates for MongoDB
+# Install comprehensive system dependencies for SSL/TLS and MongoDB
 RUN apt-get update && apt-get install -y \
     build-essential \
     curl \
     ca-certificates \
     libssl-dev \
     openssl \
-    && update-ca-certificates \
+    wget \
+    git \
+    && update-ca-certificates --fresh \
     && rm -rf /var/lib/apt/lists/*
 
+# Explicitly set SSL certificate environment variables
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ENV SSL_CERT_DIR=/etc/ssl/certs
+ENV REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
+
 # Copy requirements first for better caching
 COPY requirements.txt .
 

database_mongo.py

@@ -11,6 +11,8 @@ from datetime import datetime
 from typing import List, Dict, Optional
 from bson.objectid import ObjectId
 from urllib.parse import quote_plus
+import ssl
+import certifi
 
 load_dotenv()
 
@@ -49,12 +51,18 @@ class MongoDBManager:
 
             # Connect to MongoDB Atlas with proper error handling
             print(f"[INFO] Connecting to MongoDB Atlas (timeout: 10s)...")
+
+            # Use certifi's certificate bundle for SSL verification
+            ca_certs = certifi.where()
+            print(f"[INFO] Using CA certificate bundle from: {ca_certs}")
+
             self.client = MongoClient(
                 mongo_uri_to_use,
                 serverSelectionTimeoutMS=10000,
                 connectTimeoutMS=10000,
                 socketTimeoutMS=10000,
-                retryWrites=True
+                retryWrites=True,
+                tlsCAFile=ca_certs
             )
 
             # Test connection with proper error messaging

requirements.txt

@@ -27,6 +27,7 @@ rank-bm25>=0.2.2
 # MongoDB database (FREE - Atlas)
 pymongo>=4.0.0
 dnspython>=2.0.0
+certifi>=2023.0.0  # SSL certificate verification for MongoDB Atlas
 
 # Data export to Excel (FREE)
 pandas>=2.0.0