So I've decided to run some tests, I have upgraded our servers to 3.8.4, the latest available without going to 4.X. However, as soon as I update to the earliest version of 4.X (4.1.2) cloning a repo rhodecode already manages causes the SSL error. I am unsure if upgrading to 4.X changed the verification process from 3.X but I am currently doing a file by file comparison of enterprise-1 production and rhodecode files, pki/tls/certs, among others to see if any changes have been made due to the update that would cause this error.
So, I've narrowed it down to python updating from 2.6.x to 2.7.11 causing issues. Python 2.7.9+ conducts default SSL checks. Apache has been enabled to do this, so there is no need for python to also. I am thinking we just need to disable this feature. Only issue is I am unsure which .py file rhodecode uses to do the checks.
Thank you for getting back to me. Since this issue has been ticketed I will wait for you to let me know when you discover a solution! I am not quite ready to settle on version 3.8.4 so talk with me about this as an alternative solution.
I'd like to see if its feasible to instead update the paths and files python uses to perform its SSL checks. The updated Python by default finds the path to the certs automatically and checks SSL. The paths and files are incorrect causes these errors. If we can't turn it off, maybe its possible to change the default paths to those that matches my environment. If it can pass the SSL checks (like apache does) then I can decide on if apache will keep checking SSL.
By following the path listed on Admin -> Settings -> System Info, I can find the path to the python installation. Using that, then running this command in python:
I am returned with tuples of where the certs it will be looking for are located. Some of these values are gained from system environment variables, and some are not. Do you know a way to change the ones that are not?