No CA chain support

[sabaini]

Steps to reproduce

1. Setup an s3 provider and configure a tls-ca-chain
2. Relate s3 provider to mysql-operator
3. Attempt to create-backup

Expected behavior

The create-backup action finished successfully

Actual behavior

Action create-backup fails

Traceback in mysql-operator hints at SSL verification failure

Inspection of lib/charms/mysql/v0/s3_helpers.py shows that the boto3 session is opened with the default verify=True parameter, i.e. it only verifies against the default CAs

Per boto3 docs custom CA chains would require the verify param to be set to a cert bundle filepath

Versions

Operating system: Ubuntu 22.04.3 LTS

Juju CLI: 2.9.46-ubuntu-amd64

Juju agent: 2.9.46

Charm revision: 8.0/stable

LXD:

Log output

Juju debug log:

2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Event request-created.s3.PutObject: calling handler <function signal_transferring at 0x7fcd20988dc0>
2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Event request-created.s3.PutObject: calling handler <function add_retry_headers at 0x7fcd215c3c70>
2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://172.20.0.66:443/relation-19/2024-01-29T16%
3A44%3A22Z.metadata, headers={'User-Agent': b'Boto3/1.28.23 md/Botocore#1.31.23 ua/2.0 os/linux#5.15.0-92-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.
31.23 Resource', 'Content-MD5': b'IU3nB0oUfVJVSvdTt41iyQ==', 'Expect': b'100-continue', 'X-Amz-Date': b'20240129T164424Z', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'Authorization': b'AWS4-HMAC-SHA256 Credential=TMLMGD2LN4EFAP25DBEU/20240129/us-east-1/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date, Signature=cbf49c70480148d5c062000ef3f774d2ca37f3aa469894bea5f3e6
7a0885cd94', 'amz-sdk-invocation-id': b'075d4220-0397-4676-a3f1-babd75dd93a9', 'amz-sdk-request': b'attempt=2; max=5', 'Content-Length': '156'}>
2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Certificate path: /etc/ssl/certs/ca-certificates.crt
2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Starting new HTTPS connection (2): 172.20.0.66:443
2024-01-29 16:44:24 DEBUG unit.mysql-operator/0.juju-log server.go:316 Exception received when sending HTTP request.
Traceback (most recent call last):
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/connectionpool.py", line 714, in urlopen
    httplib_response = self._make_request(
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/connectionpool.py", line 403, in _make_request
    self._validate_conn(conn)
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/connectionpool.py", line 1053, in _validate_conn
    conn.connect()
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/connection.py", line 419, in connect
    self.sock = ssl_wrap_socket(
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/var/lib/juju/agents/unit-mysql-operator-0/charm/venv/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1100, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1371, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)

Additional context

[github-actions[bot]]

https://warthogs.atlassian.net/browse/DPE-3471