[05:17] <pieq> Hi! I'm having an SSL related error when trying to connect to the Launchpad API from a snap I'm maintaining. jamesh suggested it might have something to do with the LetsEncrypt certificate expiring: https://forum.snapcraft.io/t/ssl-certificate-verify-failed-error-from-within-a-python-snap/26836/3
[05:17] <pieq> Did anyone else notice a problem with Launchpad API sine yesterday?
[05:17] <pieq> s/sine/since/
[05:19] <jamesh> pieq: it looks like they did some config changes 14 hours or so  ago: https://irclogs.ubuntu.com/2021/09/30/%23launchpad.html
[05:20] <jamesh> I don't know any more than that + what I said on the forum
[05:32] <pieq> jamesh: thanks!
[05:33] <pieq> jamesh: I'm trying to build with core20, but it might take some time cause I have to fix side effects
[09:08] <jamesh> cjwatson: w.r.t. the discussion up above, it looks like staging is still serving up a certificate chain including the expired DST Root signature and production is serving a certificate chain missing the self signed ISRG Root cert.
[09:23] <cjwatson> jamesh: I don't think I'd expect the CA cert itself to be sent; I think the snap in this case was just missing the ISRG CA cert.  Could you file an RT ticket about staging, though?
[09:24] <jamesh> cjwatson: I think the problem comes when the local cert for the ISRG root key includes the expired DST signature
[09:25] <jamesh> Problem clients then see an expired signature in the cert chain and reject it, even though they trust what looks like an intermediate key
[09:25] <cjwatson> jamesh: Ah yes, possibly, which would be an issue in the core18 snap in this case.
[09:26] <cjwatson> 20210119~18.04.2's changelog date is 2021-09-22, and the version of core18 in stable is dated 2021-08-11
[09:26] <cjwatson> core18/edge is presumably better
[09:27] <jamesh> as I understand it, there are two certificates for the ISRG root key: one that is self signed and one signed by the DST root
[09:27] <cjwatson> See bug 1944481 for this ca-certificates update
[09:27] <cjwatson> But the core18 version that pieq was using likely didn't contain that fix
[09:30] <jamesh> Yeah. table core18 is from August
[09:30] <jamesh> pieq: ^^^ from the above, does your app start working if you do "snap refresh --edge core18"?
[09:31] <cjwatson> (and revert the addition of certifi)
[09:57] <pieq> jamesh: cjwatson I'll try that later on tonight and keep you posted.
[10:04] <pieq> jamesh, cjwatson I ran `snap refresh --edge core18`, then installed qabro from the stable channel (this version does not include python3-certifi) and I have the same issue
[10:05] <pieq> it upgraded core18             from 20210722 (rev2128) to 20210928 (rev2206)
[10:08] <cjwatson> I can't test qabro because "- Run install hook of "qabro" snap if present (run hook "install": /snap/qabro/157/meta/hooks/install: 8: /snap/qabro/157/meta/hooks/install: cannot create /etc/sudoers.d/qabro: Permission denied)"
[10:21] <pieq> you need to `sudo snap install qabro --devmode`
[10:22] <pieq> (I know...)