Hi, I have been helping Joff with this. We could certainly contribute something. Are you thinking about just modifying the get method to fall back on http if https fails? Happy to do this if you’re happy, but I’m not sure it’s great from a security standpoint.
We actually realised subsequently that this SSL error could have been avoided if we had just set the REQUESTS_CA_BUNDLE environment variable to point to our site-specific certificate (certifi checks this variable, so this takes care of all urllib3 SSL issues for us). I guess we could have passed this environment variable into the container instead of the bind-mount and the TEMPLATEFLOW_HOME variable. So in summary, the connection problems were probably more caused by our bad config than anything wrong with templateflow.
Although it would maybe be useful if the fmriprep container had a more obvious route for passing a custom templates directory. It seems a little inefficient to download templates every time you run the container.