| pieq | Hi! I'm having an SSL related error when trying to connect to the Launchpad API from a snap I'm maintaining. jamesh suggested it might have something to do with the LetsEncrypt certificate expiring: https://forum.snapcraft.io/t/ssl-certificate-verify-failed-error-from-within-a-python-snap/26836/3 | 05:17 |
|---|---|---|
| pieq | Did anyone else notice a problem with Launchpad API sine yesterday? | 05:17 |
| pieq | s/sine/since/ | 05:17 |
| jamesh | pieq: it looks like they did some config changes 14 hours or so ago: https://irclogs.ubuntu.com/2021/09/30/%23launchpad.html | 05:19 |
| jamesh | I don't know any more than that + what I said on the forum | 05:20 |
| pieq | jamesh: thanks! | 05:32 |
| pieq | jamesh: I'm trying to build with core20, but it might take some time cause I have to fix side effects | 05:33 |
| === kiska3 is now known as kiska | ||
| === jamesh_ is now known as jamesh | ||
| === tolecnal_ is now known as tolecnal | ||
| jamesh | cjwatson: w.r.t. the discussion up above, it looks like staging is still serving up a certificate chain including the expired DST Root signature and production is serving a certificate chain missing the self signed ISRG Root cert. | 09:08 |
| cjwatson | jamesh: I don't think I'd expect the CA cert itself to be sent; I think the snap in this case was just missing the ISRG CA cert. Could you file an RT ticket about staging, though? | 09:23 |
| jamesh | cjwatson: I think the problem comes when the local cert for the ISRG root key includes the expired DST signature | 09:24 |
| jamesh | Problem clients then see an expired signature in the cert chain and reject it, even though they trust what looks like an intermediate key | 09:25 |
| cjwatson | jamesh: Ah yes, possibly, which would be an issue in the core18 snap in this case. | 09:25 |
| cjwatson | 20210119~18.04.2's changelog date is 2021-09-22, and the version of core18 in stable is dated 2021-08-11 | 09:26 |
| cjwatson | core18/edge is presumably better | 09:26 |
| jamesh | as I understand it, there are two certificates for the ISRG root key: one that is self signed and one signed by the DST root | 09:27 |
| cjwatson | See bug 1944481 for this ca-certificates update | 09:27 |
| cjwatson | But the core18 version that pieq was using likely didn't contain that fix | 09:27 |
| jamesh | Yeah. table core18 is from August | 09:30 |
| jamesh | pieq: ^^^ from the above, does your app start working if you do "snap refresh --edge core18"? | 09:30 |
| cjwatson | (and revert the addition of certifi) | 09:31 |
| pieq | jamesh: cjwatson I'll try that later on tonight and keep you posted. | 09:57 |
| pieq | jamesh, cjwatson I ran `snap refresh --edge core18`, then installed qabro from the stable channel (this version does not include python3-certifi) and I have the same issue | 10:04 |
| pieq | it upgraded core18 from 20210722 (rev2128) to 20210928 (rev2206) | 10:05 |
| cjwatson | I can't test qabro because "- Run install hook of "qabro" snap if present (run hook "install": /snap/qabro/157/meta/hooks/install: 8: /snap/qabro/157/meta/hooks/install: cannot create /etc/sudoers.d/qabro: Permission denied)" | 10:08 |
| pieq | you need to `sudo snap install qabro --devmode` | 10:21 |
| pieq | (I know...) | 10:22 |
| === locutusofborg_ is now known as locutusofborg | ||
| === ddstreet_away is now known as ddstreet | ||
| === sarnold_ is now known as sarnold | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!