Keep the bundled CA Certificates up to date! #86
Assignees
Labels
Comments
|
Also: As long as we are embedding CA root certs, we should maybe also teach PageKite to stop trying to validate things once those have expired. Yes, an un-updated, 10-year-old pagekite.py may be quite problematic. But that's likely to only happen in an embedded solution and auto-bricking people's devices is very impolite. This needs more thought. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We just suffered one of our largest outages ever, because pagekite.py bundles CA Root Certificates instead of relying on those provided by the operating system, and a cert we relied upon expired.
Details here: https://pagekite.wordpress.com/2020/05/30/tls-certificate-validation-issues/
This issue will probably never be closed, unless I automate my build systems so they always pull in up-to-date certs. Otherwise this is a standing reminder to myself to not let this happen again.
(Note, this will be resolved differently on Debian, and we may adopt their solution for our own packages. However, this will remain an issue for the single-file
pagekite.py.)The text was updated successfully, but these errors were encountered: