API SSL error after 2.3.4 upgrade

I upgraded to 2.3.4 yesterday. Since then, the client using the registrant API that we use (mlz_export) is not able to connect Indico and returns the following error:

requests.exceptions.SSLError: HTTPSConnectionPool(host='indico.ijclab.in2p3.fr', port=443): Max retries exceeded with url: /oauth/authorize?response_type=code&client_id=eee44dff-b924-497e-803b-e432d95d37ce&redirect_uri=https%3A%2F%2Flocalhost%2F&scope=registrants+read%3Alegacy_api+read%3Auser&state=dMvSTg6NDkMvXGVCfm1spH7iPpIF1J (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

I didn’t see anything explictely referring to this in the release notes… Is it the consequence of another change? Should I change something in the configuration or on the client side?

Thanks in advance for any help.


PS: nothing changed in the configuration apart from the Indico upgrade…

We did not change anything regarding TLS…

Maybe it’s because of the incomplete certificate chain on your server? SSL Server Test: indico.ijclab.in2p3.fr (Powered by Qualys SSL Labs)

Accessing https://indico.ijclab.in2p3.fr via curl or httpie fails as well.

Thanks for the pointer. I’ll check but I’m surprised by this problem as there was nothing changed recently in the config, in particular the Apache config I’d say… I’ll double check, at least fixing the chain issue if it exists should be trivial.


For the record, it was the issue. In fact, I remember updating the Apache version to the last one (it is maintained centrally at IJCLab) and missed there was an attempt to remove the SSLCertificateChainFile and use a SSLCertificateFile containing the chain (as it is done with Nginx and supposed to work with Apache) but because of bug (I should check if the last version of Apache in CentOS 7 fixed the problem as it is fixed upstream) it is necessary to keep SSLCertificateChainFile with the same file as SSLCertificateFile.