Warehouse: A certificate expired at noon GMT today; only some https clients/libraries see it
This shows an expired cert:
openssl s_client -connect pypi.python.org:443
depth=0 businessCategory = Private Organization, jurisdictionCountryName = US, jurisdictionStateOrProvinceName = Delaware, serialNumber = 3359300, C = US, ST = New Hampshire, L = Wolfeboro, O = Python Software Foundation, CN = www.python.org
verify error:num=10:certificate has expired
notAfter=Oct 14 12:00:00 2020 GMT
But curl and browsers seem to get served a non-expired cert.
I also raised a ticket on with fastly (298147).
This is preventing automated tooling such as AWS's cfn-init from working.
helloPiers
All 5 comments
Thanks for reporting @helloPiers, a new certificate was uploaded/configured in Fastly on September 29th that should be valid for this endpoint. I'll open a ticket from our side as well to determine what's going on.
Curiously enough I can reproduce your openssl command, but curl gets the right certificate. I see you noted this oddity already
ewdurbin
on 14 Oct 2020
My fastly ticket is 298164
ewdurbin
on 14 Oct 2020
It looks like DNS is pointing some queries to servers that have the updated certificate and some not.
I'm trying to hit pypi.python.org
Examples from Google's DNS (8.8.8.8) for "pypi.python.org" with the old cert:
151.101.68.223
199.232.76.223
151.101.184.223
I'm not presently seeing any yielding the updated cert although I was earlier this morning.
springstim
on 14 Oct 2020
Fastly reports this as resolved, and I'm now unable to reproduce.
ewdurbin
on 14 Oct 2020
Confirming resolved this end. Thanks @ewdurbin!
helloPiers
on 14 Oct 2020
Related issues
jeff00seattle
路
3Comments
ruohoruotsi
路
3Comments
mahmoud
路
4Comments
nlhkabu
路
4Comments
apogoreliy
路
4Comments
Most helpful comment
Fastly reports this as resolved, and I'm now unable to reproduce.