diff --git a/clicada/cli/arg.py b/clicada/cli/arg.py
index 2ea2cb2..8adf30d 100644
--- a/clicada/cli/arg.py
+++ b/clicada/cli/arg.py
@@ -73,8 +73,19 @@ class CmdCtrl:
 
         self.remote_openers = {}
         if self.get('META_URL') != None:
+            sctx = None 
+            if self.cmd_args.cafile != None:
+                import ssl
+                sctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+                sctx.load_verify_locations(self.cmd_args.cafile)
+
             auth_client_session = PGPClientSession(self.__auth)
-            self.remote_openers['meta'] = HTTPSession(self.get('META_URL'), auth=auth_client_session, origin=self.config.get('META_HTTP_ORIGIN'))
+            self.remote_openers['meta'] = HTTPSession(
+                    self.get('META_URL'),
+                    auth=auth_client_session,
+                    origin=self.config.get('META_HTTP_ORIGIN'),
+                    ssl_context=sctx,
+                    )
 
 
     def blockchain(self):
diff --git a/clicada/cli/http.py b/clicada/cli/http.py
index f49ceee..992d65e 100644
--- a/clicada/cli/http.py
+++ b/clicada/cli/http.py
@@ -12,6 +12,7 @@ from usumbufu.client.base import (
         )
 from usumbufu.client.bearer import BearerClientSession
 from usumbufu.client.hoba import HobaClientSession
+from urlybird.host import url_apply_port_string
 
 logg = logging.getLogger(__name__)
 
@@ -21,6 +22,7 @@ class PGPClientSession(HobaClientSession):
     alg = '969'
 
     def __init__(self, auth):
+        super(PGPClientSession, self).__init__()
         self.auth = auth
         self.origin = None
         self.fingerprint = self.auth.fingerprint()
@@ -46,23 +48,12 @@ class HTTPSession:
     
     token_dir = '/run/user/{}/clicada/usumbufu/.token'.format(os.getuid())
 
-    def __init__(self, url, auth=None, origin=None):
+    def __init__(self, url, auth=None, origin=None, ssl_context=None):
         self.base_url = url
-        url_parts = urllib.parse.urlsplit(self.base_url)
-        url_parts_origin_host = url_parts[1].split(":")
-        host = url_parts_origin_host[0]
-        try:
-            host = host + ':' + url_parts_origin_host[1]
-        except IndexError:
-            host = host + ':' + str(getservbyname(url_parts[0]))
-            logg.info('changed origin with missing port number from {} to {}'.format(url_parts[1], host))
-        url_parts_origin = (url_parts[0], host, '', '', '',)
-            
+
+        if origin == None:
+            origin = url_apply_port_string(url, as_origin=True)
         self.origin = origin
-        if self.origin == None:
-            self.origin = urllib.parse.urlunsplit(url_parts_origin)
-        else:
-            logg.debug('overriding http origin for {} with {}'.format(url, self.origin))
 
         h = hashlib.sha256()
         h.update(self.base_url.encode('utf-8'))
@@ -72,7 +63,7 @@ class HTTPSession:
         os.makedirs(token_store_dir, exist_ok=True)
         self.token_store = BaseTokenStore(path=token_store_dir)
 
-        self.session = ClientSession(self.origin, token_store=self.token_store)
+        self.session = ClientSession(self.origin, token_store=self.token_store, ssl_context=ssl_context)
 
         bearer_handler = BearerClientSession(self.origin, token_store=self.token_store)
         self.session.add_subhandler(bearer_handler)
@@ -88,6 +79,9 @@ class HTTPSession:
         url = urllib.parse.urljoin(self.base_url, endpoint)
         logg.debug('open {} with opener {}'.format(url, self))
         r = self.opener.open(url)
+        logg.debug('response code {} for {}'.format(r.code, endpoint))
+        if r.code == 404:
+            raise FileNotFoundError()
         return r.read().decode('utf-8')
 
 
diff --git a/clicada/cli/user.py b/clicada/cli/user.py
index 92a0aa0..1906c49 100644
--- a/clicada/cli/user.py
+++ b/clicada/cli/user.py
@@ -29,6 +29,7 @@ tx_normalizer = TxHexNormalizer()
 def process_args(argparser):
     argparser.add_argument('-m', '--method', type=str, help='lookup method')
     argparser.add_argument('--meta-url', dest='meta_url', type=str, help='Url to retrieve metadata from')
+    argparser.add_argument('--cafile', type=str, help='CA certificate chain file to use for verifying SSL session')
     argparser.add_argument('-f', '--force-update', dest='force_update', action='store_true', help='Update records of mutable entries')
     argparser.add_argument('identifier', type=str, help='user identifier')
 
diff --git a/clicada/user/file.py b/clicada/user/file.py
index 02bf037..4a28537 100644
--- a/clicada/user/file.py
+++ b/clicada/user/file.py
@@ -268,7 +268,7 @@ class FileUserStore:
             r = getter.open(ptr)
         except Exception as e:
             logg.debug('no metadata found for {}: {}'.format(address, e))
-        
+       
         if r == None:
             self.failed_entities[address] = True
             raise MetadataNotFoundError()
diff --git a/requirements.txt b/requirements.txt
index 2003eba..3781f1b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
-usumbufu~=0.3.5
-confini~=0.5.3
+usumbufu~=0.3.6
+confini~=0.5.4
 cic-eth-registry~=0.6.1
 cic-types~=0.2.1a8
 phonenumbers==8.12.12
@@ -8,3 +8,4 @@ hexathon~=0.1.0
 pycryptodome~=3.10.1
 chainlib-eth~=0.0.21
 chainlib~=0.0.17
+urlybird~=0.0.2