Hi all !
It seems commit 2f582bf2ed1dea4a848ddc674410577bfb7d5f31 is incomplete, at least for some poorly configured URLs/vhosts on BPCEs end.
I'm am getting errors when consulting PEA account operation lists:
SSLError: HTTPSConnectionPool(host='labanquepostale.offrebourse.com', port=443): Max retries exceeded with url: /ReroutageSJR (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
I have previously circumvented this by simply adding the intermediate 'GlobalSign Organization Validation CA - SHA256 - G2 ' (04:00:00:00:00:01:44:4E:F0:42:47) certificate to certifi/cacert.pem. Because it seems the host doesn't carry it when it should. and it ran fine until the update yesterday. (They've been made aware of it, but they are probably organizing a national conf call using fax machines and re-hiring fired engineers that know how it works to try to understand the issue)
The linebourse.pem seems to only contain the top certificate (25:E5:BC:6A:49:D0:48:CC:68:1F:D0:A2) but it also makes it ignore the python-certifi supplied file (I don't really understand the python innards afterwards though, maybe it uses NSS that runs on system certs, but I've added it to the debian host, and curl works since)
Enriching linebourse.pem with the missing cert doesn't work unfortunatly, nor does converting the concatted PEM to other formats.
I'd be happy to help in any way possible.