Python 3.13 rejects CA certificates without keyUsage
Python 3.13 changed the default ssl verify flags, and now some CA certificates are rejected. CA certificates created by openssl with -addext basicConstraints=critical,CA:TRUE only don't work, need to also specify -addext keyUsage=critical,digitalSignature,keyCertSign.
This seems to match the requirements from the wider community for certificates, so we should fix.
Those are the private CA certificates in the cluster, they probably need to be replaced:
-
Prometheus certificate (secret
monitoring/prometheus-tls) -
Loki certificate (secret
logging/loki-tlslogging/lokiproxy-tlslogging/promtail-tlsmonitoring/loki-client-cert) -
frps certificate (secret
default/frps-tls) -
kubernetes-dashboard certificate (secret
kubernetes-dashboard/kubernetes-dashboard-certs)
Edited by Remi Rampin