Hi,
I upgraded to 2.3.4 yesterday. Since then, the client using the registrant API that we use (mlz_export) is not able to connect Indico and returns the following error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='indico.ijclab.in2p3.fr', port=443): Max retries exceeded with url: /oauth/authorize?response_type=code&client_id=eee44dff-b924-497e-803b-e432d95d37ce&redirect_uri=https%3A%2F%2Flocalhost%2F&scope=registrants+read%3Alegacy_api+read%3Auser&state=dMvSTg6NDkMvXGVCfm1spH7iPpIF1J (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))
I didn’t see anything explictely referring to this in the release notes… Is it the consequence of another change? Should I change something in the configuration or on the client side?
Thanks in advance for any help.
Michel
PS: nothing changed in the configuration apart from the Indico upgrade…
Thanks for the pointer. I’ll check but I’m surprised by this problem as there was nothing changed recently in the config, in particular the Apache config I’d say… I’ll double check, at least fixing the chain issue if it exists should be trivial.
For the record, it was the issue. In fact, I remember updating the Apache version to the last one (it is maintained centrally at IJCLab) and missed there was an attempt to remove the SSLCertificateChainFile and use a SSLCertificateFile containing the chain (as it is done with Nginx and supposed to work with Apache) but because of bug (I should check if the last version of Apache in CentOS 7 fixed the problem as it is fixed upstream) it is necessary to keep SSLCertificateChainFile with the same file as SSLCertificateFile.