Via is not trusting some certificates that Chrome and Mozilla trust

[mkdir-washington-edu]

Describe the bug When trying to access http://success.tophat.com/ in Via we get the following error:

UpstreamServiceError: HTTPSConnectionPool(host=‘success.tophat.com’, port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1125)’))) URL: https://via.hypothes.is/success.tophat.com Third party URL: None

Chrome (and Mozilla) trust this site, however:

We uncovered that the certificate issuer is not trusted by the OS running Via.

curl https://success.tophat.com/s/ curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above

To Reproduce Steps to reproduce the behavior:

1. https://via.hypothes.is
2. paste http://success.tophat.com/
3. See error

Expected behavior The expected behavior would be for Via to trust the same certificates Chromium and Mozilla trust, if possible.

Additional context https://hypothes-is.slack.com/archives/C2BLQDKHA/p1620131767381300 https://app.hubspot.com/contacts/6291320/ticket/399068231/

[mkdir-washington-edu]

We should check we're using the set of certificates from: certifi (https://pypi.org/project/certifi/)