This is an old revision of the document!

UPMC Certificates

UPMC man in the middle's https traffic. You might get the error

SSLError(SSLCerVerificationError, '[SSL: CERTIFICATE_VERIFY_FAILED] certifiacte verify failed: self signed certificate in certificate chain

To allow UPMC's cert in the SSL chain on debian, run:

  # as root
  cd /usr/local/share/ca-certificates/
  cert_loc=http://upmccrl.upmc.com/CDP/
  for crt in UPMC-CA23 UPMC-CA20 UPMC-ROOT-CA; do
     wget "$cert_loc/$crt.crt" -O "$crt.crt-der"
     # added 20230707
     openssl x509 -in $crt.crt-der -out $crt.crt -outform PEM
  done
  update-ca-certificates

Legacy

Newer (2023) ssl libraries packaged in debian are ahead of what UPMC's certs/network supports.

ss1.SSLError: [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled

See https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled

Downgrade security with a custom SSL config:

export OPENSSL_CONF="/opt/ni_tools/slacktheme_bot/openssl.conf"

where conf looks like

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

Python

newer urllib3 may also cause problems with legacy certs. (UNCONFIRMED 20240117)

pip install urllib3==1.26.12