travis: remove expired DST Root CA X3 cert on trusty

Also monkey patch certifi trust store on trusty+py3.3, since certifi maintainers are stubborn (see comments in Travis config for links). Thanks to mal (below) for helping with the monkey-patch step! Co-authored-by: mal <mal@sec.gd>
sopel-irc · Oct 6, 2021 · c74acc3 · c74acc3
1 parent d922732
commit c74acc3
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -39,6 +39,20 @@ install:
   - pip install --upgrade "setuptools<=39.2.0; python_version < '3.9'"
   - pip install --upgrade -r requirements.txt -r dev-requirements.txt
   - python setup.py develop
+before_script:
+  # deal with Let's Encrypt's ISRG Root CA X1 being cross-signed by an expired root
+  # only needed on trusty - mark the bad cert disabled in conf, update ca-certificates
+  # bundle, then remove the .crt file completely from the only place it should remain
+  # finally, monkeypatch certifi to use the system's fixed one (as of 2021-10-05,
+  # certifi still stubbornly bundles the expired root;
+  # see https://github.com/certifi/python-certifi/pull/162
+  # and https://bugzilla.mozilla.org/show_bug.cgi?id=1733560 for updates)
+  - if [ "$TRAVIS_DIST" == "trusty" ]; then
+      sudo sed -re 's#(mozilla/DST_Root_CA_X3.crt)#!\1#' -i /etc/ca-certificates.conf;
+      sudo update-ca-certificates;
+      sudo rm /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt;
+      cp /etc/ssl/certs/ca-certificates.crt /home/travis/virtualenv/python3.3/lib/python3.3/site-packages/certifi/cacert.pem;
+    fi
 script:
   - make travis
 env: