Reported upstream.

With Python 3.13, the default SSL context enabled strict verification:

Changed in version 3.13: The context now uses VERIFY_X509_PARTIAL_CHAIN and VERIFY_X509_STRICT in its default verify flags.

This can also be checked via openssl directly, eg via

openssl verify -x509_strict

This has bitten us in Fedora Messaging where our RabbitMQ CA didn't set the critical flag on basicConstraints, see fedora-infra/fedora-messaging#440.

sscg does not seem to do it either. We use it to generate certificates for integration tests in Bodhi, and the rawhide version has started to fail because of that, with the message:

requests.exceptions.SSLError: HTTPSConnectionPool(host='id.dev.fedoraproject.org', port=443): Max retries exceeded with url: /openidc/.well-known/openid-configuration (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1028)')))

Could you please have sscg set the critical flag on basicConstraints.