For legacy reasons, one of my projects is still running tests against Python 3.3 for the current (long-lived) stable branch, and the only way to do that on Travis was to select the Trusty image.
This build from yesterday failed on py3.3 only with SSLError, presumably a result of the recent Let’s Encrypt certificate expiration on 30 Sept. (The chain is ISRG X1 → R3 → leaf.) Is it possible to update Travis’ image for Trusty to exclude the expired root certificate?
Alternatively, a way to install Python 3.3 on Xenial or newer would help.
@native-api Is that for me, or for Travis infrastructure to follow?
If Travis staff don’t plan to update the image, we already have a less invasive way of disabling the expired root certificate ready to go. I just wanted to see if there are any plans to fix this globally for all Trusty users—especially since patching the system CA trust store doesn’t affect e.g. requests inside the venv that Travis automatically uses for Python builds.
Sure @convenient, I can easily share as I merged that solution just today.
The whole workaround is in the new before_script step in this commit.
- if [ "$TRAVIS_DIST" == "trusty" ]; then
sudo sed -re 's#^(mozilla/DST_Root_CA_X3.crt)$#!\1#' -i /etc/ca-certificates.conf;
sudo update-ca-certificates;
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt;
fi
It’s designed specifically to mitigate the problem in the environment I described above (Ubuntu Trusty, Python 3.3 using requests)—but the same general approach should work for Xenial too. Getting the language environment to pick up the updated certificates will almost certainly be the biggest challenge (as we discovered, which is why the environment variable needs to be set there).