SSL errors accessing Stb-tester REST API from RHEL/CentOS 7
01 Oct 2021.
If you started getting errors today when accessing the REST API on your Stb-tester Portal (either directly using curl or python requests, or using our stbt_rig.py command-line tool) then read on for the solution.
The Stb-tester Portal uses TLS certificates issued by Let’s Encrypt. Due to certain technical decisions made by Let’s Encrypt, software using older versions of OpenSSL (before 1.1.0) can get “certificate expired” errors when trying to access the Stb-tester Portal after 30 September 2021. Specifically RHEL/CentOS 7 are affected, as they use OpenSSL 1.0.2k.
The fix requires 2 steps:
If you are using RHEL/CentOS 7, upgrade your ca-certificates package. This issue was fixed in ca-certificates version 2021.2.50–72.
If you are using the Python requests library (or stbt_rig.py) then you need to tell requests to use the operating system’s CA (Certificate Authority) bundle, mentioned above, instead of the CA bundle that’s embedded into the requests library itself. To do this, set the environment variable REQUESTS_CA_BUNDLE before running stbt_rig.py, like this: