Python 3.13 changed the default ssl verify flags, and now some CA certificates are rejected. CA certificates created by openssl with `-addext basicConstraints=critical,CA:TRUE` only don't work, need to also specify `-addext keyUsage=critical,digitalSignature,keyCertSign`. This seems to match the requirements from the wider community for certificates, so we should fix. Those are the private CA certificates in the cluster, they probably need to be replaced: - [x] Prometheus certificate (secret `monitoring/prometheus-tls`) - [x] Loki certificate (secret `logging/loki-tls` `logging/lokiproxy-tls` `logging/promtail-tls` `monitoring/loki-client-cert`) - [x] frps certificate (secret `default/frps-tls`) - [x] kubernetes-dashboard certificate (secret `kubernetes-dashboard/kubernetes-dashboard-certs`)