[personal profile] chebe
Let's Encrypt's root cert expired the end of September just gone.

For the first time since then I tried running an old python script on a Raspberry Pi. It failed with an all too familiar error message. In both python3, and with curl.

I never see these errors in my browser (because Firefox is great like that). Even when I didn't have the certs on my site fully configured it didn't matter because Firefox had the necessary root and intermediate certs.

So I tried curl on my Windows machine, and it worked, no errors. Okay, it's not the configuration of my site. It's the Raspberry Pi. I need to update its cert cache.

I found most of what I needed here. The certs I want are here. (We'll be picking up local certs, so changing into the same directory is important.)

sudo mkdir /usr/share/ca-certificates/local
cd /usr/share/ca-certificates/local

sudo wget https://letsencrypt.org/certs/isrgrootx1.pem
sudo wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

sudo openssl x509 -inform PEM -in isrgrootx1.pem -outform PEM -out isrgrootx1.crt
sudo openssl x509 -inform PEM -in lets-encrypt-r3.pem -outform PEM -out lets-encrypt-r3.crt

sudo dpkg-reconfigure ca-certificates


When prompted choose 'ask'. Mark your new certs with an asterisk, choose 'ok', and wait for it to finish.

Test by trying that curl command again. All goes well, no more errors!

Great, let's try that script again. Nope! More errors. Now that our Raspberry Pi has the correct certs we need to update the python certs. Enter an interactive session and find out where it keeps these certs.
python3
import certifi
certifi.where()


It says '/home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem'. Let's replace it!

rm /home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem
cp /etc/ssl/certs/ca-certificates.crt /home/pi/.local/lib/python3.7/site-packages/certifi/cacert.pem


Test by trying that python3 script again. All goes well, no more errors! Hopefully for real this time.

Hello

Date: 2022-03-21 07:57 am (UTC)
From: (Anonymous)
Hi hi! I saw you in the George I think in February! David from UCD also says hi from Japan and to use me crystal ball to get in touch!

I miss you you crazy wench!

Maebh

(Easily found online lol)