fix(docker): Update Dockerfile to install ca-certificates and create unprivileged user

fix(settings): Ensure SSL_CERT_FILE is set using certifi if not already defined

chore(requirements): Add certifi to requirements for SSL certificate handling

innovedus_cms/Dockerfile

@@ -10,7 +10,11 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /code
 
 # Create an unprivileged user to run the app
-RUN adduser --disabled-password --gecos '' app
+RUN set -ex && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/* && \
+    adduser --disabled-password --gecos '' app
 
 COPY requirements.txt /tmp/requirements.txt
 RUN set -ex && \

innovedus_cms/mysite/settings/base.py

@@ -13,9 +13,18 @@ https://docs.djangoproject.com/en/5.2/ref/settings/
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 import os
 
+try:
+    import certifi
+except Exception:
+    certifi = None
+
 PROJECT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 BASE_DIR = os.path.dirname(PROJECT_DIR)
 
+# Ensure Python SSL always has a CA bundle unless caller explicitly sets one.
+if not os.environ.get("SSL_CERT_FILE") and certifi is not None:
+    os.environ["SSL_CERT_FILE"] = certifi.where()
+
 def env_list(name, default):
     """
     Return a list from a comma-separated env var; fall back to provided default list.

innovedus_cms/requirements.txt

@@ -5,3 +5,4 @@ dj-database-url
 psycopg[binary]
 python-dotenv
 django-storages[boto3]
+certifi