SSL chain broken after today's cert renewal
30 views
Skip to first unread message
Rory Kirchner
May 6, 2026, 2:27:46 PM (7 days ago) May 6
to gsea-help
Hey all,
data.broadinstitute.org started failing TLS verification today right after the cert was renewed earlier today:
If you run this:
```python
If you run this:
```python
python3 -c "import requests; print(requests.get('https://data.broadinstitute.org/gsea-msigdb/msigdb/release/').status_code)"
```
you get
```
requests.exceptions.SSLError: HTTPSConnectionPool(host='data.broadinstitute.org', port=443): Max retries exceeded with url: /gsea-msigdb/msigdb/release/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))
```
The new leaf is signed by `InCommon RSA OV SSL CA 3`, but the server is still sending the old `InCommon RSA Server CA 2` as the intermediate, so the chain doesn't link.
```
openssl s_client -connect data.broadinstitute.org:443 -servername data.broadinstitute.org -showcerts
returns
```
0 s:CN=data.broadinstitute.org i:CN=InCommon RSA OV SSL CA 3
1 s:CN=USERTrust RSA Certification Authority
2 s:CN=InCommon RSA Server CA 2 i:CN=USERTrust RSA Certification Authority
1 s:CN=USERTrust RSA Certification Authority
2 s:CN=InCommon RSA Server CA 2 i:CN=USERTrust RSA Certification Authority
```
This is breaking the gseapy package, which is how I ended up here:
```
>>> from gseapy import Msigdb
>>> Msigdb().get_gmt(category="h.all", dbver="2024.1.Hs")
SSLError: ...HTTPSConnectionPool(host='data.broadinstitute.org', port=443):
...SSLCertVerificationError: unable to get local issuer certificate
>>> Msigdb().get_gmt(category="h.all", dbver="2024.1.Hs")
SSLError: ...HTTPSConnectionPool(host='data.broadinstitute.org', port=443):
...SSLCertVerificationError: unable to get local issuer certificate
```
Thank you for all that you do,
Rory
David Eby
May 6, 2026, 7:00:22 PM (7 days ago) May 6
to gsea...@googlegroups.com
Thanks for pointing this out. I will pass it along to Broad IT since they control these servers.
I'm not sure how long it will take them to sort this out. FWIW, if I access these URLs via a web browser it seems that I'm able to download files without any certificate complaints. That could perhaps be a short-term workaround in the meanwhile, though obviously more awkward for a Python-based workflow.
Sorry for any inconvenience.
Thanks again!
David
David Eby www.gsea-msigdb.org
--
You received this message because you are subscribed to the Google Groups "gsea-help" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gsea-help+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/gsea-help/4c89a736-efd1-4ae7-bf13-4f652ba07e2fn%40googlegroups.com.
Rory Kirchner
May 7, 2026, 7:04:07 AM (6 days ago) May 7
to gsea-help
Hi David,
Thanks! Sorry to use you as an intermediate, I couldn't figure out who to email about it and saw you all are responsive on the mailing list at least :). Yeah-- anything that will auto-download the missing intermediates or will use a cache that has that intermediate already will work, so if you like curl it from your OSX machine it should work fine I think. But TIL some things won't do that, and I guess the requests library in python is one of them.
Best,
Rory
David Eby
May 8, 2026, 5:21:08 PM (5 days ago) May 8
to gsea...@googlegroups.com
Hi Rory,
As far as I can tell, this should be fixed now.
Thanks again for the report!
David
David Eby www.gsea-msigdb.org
To view this discussion visit https://groups.google.com/d/msgid/gsea-help/72e4787a-da62-40c5-8159-eee15149e22cn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages