search

pydio / pydio-sync

Python version of the Pydio synchronization client
https://pydio.com
GNU General Public License v3.0
82 stars 32 forks source link

[SSL: CERTIFICATE_VERIFY_FAILED] #184

Open jkirk opened 2 years ago

jkirk commented 2 years ago

Since 2021-09-30, the day of the Let's Encrypt DST Root CA X3 expiration, pydio-sync stopped working with:

00:57:40 ERROR   140401309402880 Thread-3 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
Traceback (most recent call last):
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/pydio.job.continous_merger", line 460, in run
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/pydio.job.continous_merger", line 771, in load_remote_changes_in_store
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/pydio.sdkremote.remote", line 407, in changes_stream
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/pydio.sdkremote.remote", line 337, in perform_request
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/pydio.sdkremote.remote", line 271, in perform_with_tokens
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/requests.api", line 65, in get
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/requests.api", line 49, in request
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/requests.sessions", line 461, in request
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/requests.sessions", line 573, in send
  File "/home/pydio/tcAgent/work/a00136d723583ad3/build/pydio-agent/out01-PYZ.pyz/requests.adapters", line 431, in send
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
00:57:40 ERROR   140401317795584 Thread-1 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

This is because a very old list of CA certificates (especially with the now expired root certificate DST Root CA X3 and without the now valid "ISRG Root X1") is included.

We need to update the list of certificates from here, I believe: https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem

Since there seem to be no new releases, any idea how to create a new build?